環境 KVM

 ホストOS:Debian GNU/Linux 10.7
 ゲストOS:FreeBSD 12.2-RELEASE r366954 GENERIC amd64

 

▼パッケージのアップデート

# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    916 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB   6.7MB/s    00:01
Processing entries: 100%
FreeBSD repository update completed. 31973 packages processed.
All repositories are up to date.

 

▼インストール済みパッケージ確認

# pkg info
adwaita-icon-theme-3.38.0      GNOME Symbolic Icons
apache24-2.4.46                Version 2.4.x of Apache web server
apr-1.7.0.1.6.1_1              Apache Portability Library
argyllcms-1.9.2_5              ICC compatible color management system
at-spi2-atk-2.34.2             Assisted Technology Provider module for GTK+
at-spi2-core-2.36.0            Assistive Technology Service Provider Interface
atk-2.36.0                     GNOME accessibility toolkit (ATK)
avahi-app-0.7_3                Service discovery on a local network

---省略---


 

▼バイナリ package リポジトリでBINDアプリケーションを探す

# pkg search bind9
bind9-devel-9.17.4.a0.2020.09.14 BIND DNS suite with updated DNSSEC and DNS64
bind911-9.11.25                BIND DNS suite with updated DNSSEC and DNS64
bind916-9.16.9                 BIND DNS suite with updated DNSSEC and DNS64

 

▼bindインストール

# pkg install bind916
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 9 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        bind-tools: 9.16.9
        bind916: 9.16.9
        fstrm: 0.6.0
        json-c: 0.15
        libuv: 1.40.0
        lmdb: 0.9.24_3,1
        protobuf-c: 1.3.2_6
        py37-ply: 3.11
        py37-setuptools: 44.0.0

Number of packages to be installed: 9

The process will require 64 MiB more space.
8 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/9] Fetching bind916-9.16.9.txz: 100%    3 MiB   3.3MB/s    00:01
[2/9] Fetching bind-tools-9.16.9.txz: 100%    4 MiB   4.1MB/s    00:01
[3/9] Fetching py37-ply-3.11.txz: 100%  128 KiB 131.4kB/s    00:01
[4/9] Fetching py37-setuptools-44.0.0.txz: 100%  512 KiB 524.4kB/s    00:01
[5/9] Fetching libuv-1.40.0.txz: 100%  119 KiB 121.7kB/s    00:01
[6/9] Fetching json-c-0.15.txz: 100%   62 KiB  63.4kB/s    00:01
[7/9] Fetching protobuf-c-1.3.2_6.txz: 100%  169 KiB 173.2kB/s    00:01
[8/9] Fetching fstrm-0.6.0.txz: 100%   64 KiB  65.6kB/s    00:01
[9/9] Fetching lmdb-0.9.24_3,1.txz: 100%  101 KiB 103.2kB/s    00:01
Checking integrity... done (0 conflicting)
[1/9] Installing py37-setuptools-44.0.0...
[1/9] Extracting py37-setuptools-44.0.0: 100%
[2/9] Installing py37-ply-3.11...
[2/9] Extracting py37-ply-3.11: 100%
[3/9] Installing libuv-1.40.0...
[3/9] Extracting libuv-1.40.0: 100%
[4/9] Installing json-c-0.15...
[4/9] Extracting json-c-0.15: 100%
[5/9] Installing bind-tools-9.16.9...
[5/9] Extracting bind-tools-9.16.9: 100%
[6/9] Installing protobuf-c-1.3.2_6...
[6/9] Extracting protobuf-c-1.3.2_6: 100%
[7/9] Installing fstrm-0.6.0...
[7/9] Extracting fstrm-0.6.0: 100%
[8/9] Installing lmdb-0.9.24_3,1...
[8/9] Extracting lmdb-0.9.24_3,1: 100%
[9/9] Installing bind916-9.16.9...
[9/9] Extracting bind916-9.16.9: 100%
=====
Message from bind916-9.16.9:

--
BIND requires configuration of rndc, including a "secret"
key.  The easiest, and most secure way to configure rndc is
to run 'rndc-confgen -a' to generate the proper conf file,
with a new random key, and appropriate file permissions.

The /usr/local/etc/rc.d/named script will do that for you.

If using syslog to log the BIND9 activity, and using a
chroot'ed installation, you will need to tell syslog to install
a log socket in the BIND9 chroot by running:

  # sysrc altlog_proglist+=named

And then restarting syslogd with: service syslogd restart

 

▼設定ファイル一覧

named.root

named.local
in-named.rev

out-server-bff.net.zone
www11.158.141.203.in-addr.arpa.zone

 

▼named.confの設定

# Local Network Zone Setting(LAN内)と# Global Network Settingに分けて記載した。

optionsの項目では、allow-transfer { none; };を指定し、Global Network のみセカンダリDNSサーバへのゾーン転送を指定した。

# named.conf files

#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc.key" {
       algorithm hmac-sha256;
       secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
 };

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc.key"; };
 };
#End of named.conf

acl hogenet {
        192.168.0.0/24;
        127.0.0.1;
};
logging {
  category lame-servers { null; };
  category edns-disabled { null; };
};
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        auth-nxdomain yes;
        allow-query { none; };
        allow-transfer { none; };
        recursion no;
        empty-zones-enable no;
        blackhole { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; }; ←ブロックするIPアドレス
        recursive-clients 400;
        lame-ttl 1800;
        version "";
        dnssec-validation no;
};

# Local Network Zone Setting

view "localnet" {
        match-clients { hogenet; };
        recursion yes;
        allow-transfer { hogenet; };
        allow-recursion { hogenet; };
        allow-query { hogenet; };

        zone "." {
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };
        zone "server-bff.net"{
                type master;
                file "in-server-bff.net.zone";
        };
        zone "0.0.127.in-addr.arpa"{
                type master;
                file "named.local";
        };
        zone "0.168.192.in-addr.arpa"{
                type master;
                file "in-named.rev";
        };
};

# Global Network Setting

view "globalnet" {
        match-clients { any; };
        allow-query { any; };
        recursion no;

        zone "server-bff.net"{
                type master;
                file "out-server-bff.net.zone";
                allow-transfer {
                XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
                };
                also-notify {
                XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
                };
        };

        zone "SUB11.158.141.203.in-addr.arpa"{
                type master;
                file "www11.158.141.203.in-addr.arpa.zone";
                allow-transfer {
                XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
                };
                also-notify {
                XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
                };
        };

};

 

 ▼rndc(remote name daemon control)リモート制御プログラム設定

# rndc-confgen -b 512 -k rndc.key
# Start of rndc.conf
key "rndc.key" {
        algorithm hmac-sha256;
        secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};

options {
        default-key "rndc.key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc.key" {
#       algorithm hmac-sha256;
#       secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc.key"; };
# };
# End of named.conf

 

出力された上記の# Start of rndc.conf から # End of rndc.conf ↓ までをrndc.conf名で保存する。また、# Use with the following in named.conf, adjusting the allow list as needed: から # End of named.conf までをコメントアウトしnamed.confに追記する。

▼rndc.conf

# Start of rndc.conf
key "rndc.key" {
        algorithm hmac-sha256;
        secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};

options {
        default-key "rndc.key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

 

▼下記、named.confに追記する。

#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc.key"; };
};
#End of named.conf

 

▼鍵作成

# rndc-confgen -a -b 512 -k rndc.key
wrote key file "/usr/local/etc/namedb/rndc.key"

 

作成したrndc.keyファイルのsecret欄をrndc.confのsecret欄のXXXXXXXXに書き換えて保存する。

# vi rndc.key

key "rndc.key" {
        algorithm hmac-sha256;
        secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};

 

▼起動設定

# vi /etc/rc.conf
named_enable="YES"

 

▼起動!

# /usr/local/etc/rc.d/named start
Starting named.

 

▼ /var/log/messages 確認

Sep  9 12:42:53 www named[63954]: starting BIND 9.16.10 (Stable Release) <id:fac8def>
Sep  9 12:42:53 www named[63954]: running on FreeBSD amd64 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC
Sep  9 12:42:53 www named[63954]: built with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
Sep  9 12:42:53 www named[63954]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Sep  9 12:42:53 www named[63954]: compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
Sep  9 12:42:53 www named[63954]: compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
Sep  9 12:42:53 www named[63954]: linked to OpenSSL version: OpenSSL 1.1.1h-freebsd  22 Sep 2020
Sep  9 12:42:53 www named[63954]: compiled with libxml2 version: 2.9.10
Sep  9 12:42:53 www named[63954]: linked to libxml2 version: 20910
Sep  9 12:42:53 www named[63954]: compiled with json-c version: 0.15
Sep  9 12:42:53 www named[63954]: linked to json-c version: 0.15
Sep  9 12:42:53 www named[63954]: compiled with zlib version: 1.2.11
Sep  9 12:42:53 www named[63954]: linked to zlib version: 1.2.11
Sep  9 12:42:53 www named[63954]: ----------------------------------------------------
Sep  9 12:42:53 www named[63954]: BIND 9 is maintained by Internet Systems Consortium,
Sep  9 12:42:53 www named[63954]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  9 12:42:53 www named[63954]: corporation.  Support and training for BIND 9 are
Sep  9 12:42:53 www named[63954]: available at https://www.isc.org/support
Sep  9 12:42:53 www named[63954]: ----------------------------------------------------
Sep  9 12:42:53 www named[63954]: command channel listening on 127.0.0.1#953
Sep  9 12:42:53 www named[63954]: all zones loaded
Sep  9 12:42:53 www named[63954]: running

 

▼サーバのステータス確認

# rndc status
version: BIND 9.16.10 (Stable Release) <id:fac8def> ()
running on www: FreeBSD amd64 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC
boot time: Thu, 09 Sep 2021 03:42:53 GMT
last configured: Thu, 09 Sep 2021 03:42:53 GMT
configuration file: /usr/local/etc/namedb/named.conf
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 7 (0 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/360/400
tcp clients: 0/150
TCP high-water: 0
server is up and running

 

 以上