Configuración de servidor DNS maestro y esclavo con bind9 en Debian 12
¿Que son los servidores DNS maestro y esclavo?
Un servidor DNS maestro es un servidor que tiene la autoridad para una zona de dominio. Es el servidor que contiene la información de la zona y es el único que puede modificarla. Un servidor DNS esclavo es un servidor que obtiene la información de una zona de dominio desde un servidor maestro. El servidor esclavo no tiene la autoridad para modificar la zona, pero puede responder a las consultas de los clientes.
Requisitos
- Debian 12 instalado.
- Acceso a internet.
- privilegios de sudo o root.
- 2 Servidores DNS bind9 instalados.
Configuración del servidor DNS maestro
En el servidor DNS maestro, tenemos definidas las zona “example.com” y “50.168.192.in-addr.arpa” en el fichero /etc/bind/named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { slaves; };
notify yes;
};
zone "50.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { slaves; };
notify yes;
};
En el fichero /etc/bind/db.example.com tenemos definidos los registros de la zona “example.com”:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA dns1.example.com. root.example.com. (
6 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS dns1.example.com.
@ IN NS dns2.example.com.
$ORIGIN example.com.
dns1 IN A 192.168.50.31
dns2 IN A 192.168.50.15
www IN A 192.168.50.47
webmin IN A 192.168.50.46
Y en el fichero /etc/bind/db.192 tenemos definidos los registros de la zona “50.168.192.in-addr.arpa”:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA dns1.example.com. root.example.com. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS dns1.example.com.
@ IN NS dns2.example.com.
$ORIGIN 50.168.192.in-addr.arpa.
31 IN PTR dns1.example.com.
15 IN PTR dns2.example.com
47 IN PTR www.example.com.
46 IN PTR webmin.example.com.
Modificado el fichero /etc/bind/named.conf.options para permitir las consultas de los servidores esclavos:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
auth-nxdomain no;
recursion no; #Solo se permiten consultas recursivas de la red local
allow-query { 192.168.50.0/24; }; #Solo se permiten consultas de la red local
allow-transfer { none; }; #No se permiten transferencias de zona
};
acl slaves { #ACL para que los servidores esclavos puedan transferir la zona
192.168.50.15; #IP del servidor esclavo
};
Una vez añadidas las líneas, reiniciamos el servicio bind9:
root@bind9-master:~# systemctl restart bind9
Configuración del servidor DNS esclavo
En el servidor DNS esclavo, añadimos las zonas “example.com” y “50.168.192.in-addr.arpa” al fichero /etc/bind/named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "example.com" {
type slave;
masters { 192.168.50.31; };
file "db.example.com";
};
zone "50.168.192.in-addr.arpa" {
type slave;
masters { 192.168.50.31; };
file "db.192";
};
Reiniciamos el servicio bind9:
root@bind9-slave:~# systemctl restart bind9
Utilizamos el comando systemctl status bind9 para comprobar el estado del servicio bind9:
root@bind9-slave:/etc/bind# systemctl status bind9
* named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-04-29 13:41:31 UTC; 10s ago
Docs: man:named(8)
Main PID: 461 (named)
Status: "running"
Tasks: 5 (limit: 28645)
Memory: 6.2M
CPU: 45ms
CGroup: /system.slice/named.service
`-461 /usr/sbin/named -f -u bind
Apr 29 13:41:31 bind9-slave named[461]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
Apr 29 13:41:31 bind9-slave named[461]: checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
Apr 29 13:41:31 bind9-slave named[461]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
Apr 29 13:41:31 bind9-slave named[461]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
Apr 29 13:41:31 bind9-slave named[461]: zone 50.168.192.in-addr.arpa/IN: Transfer started.
Apr 29 13:41:31 bind9-slave named[461]: transfer of '50.168.192.in-addr.arpa/IN' from 192.168.50.31#53: connected using 192.168.50.31#53Apr 29 13:41:31 bind9-slave named[461]: zone 50.168.192.in-addr.arpa/IN: transferred serial 5
Apr 29 13:41:31 bind9-slave named[461]: transfer of '50.168.192.in-addr.arpa/IN' from 192.168.50.31#53: Transfer status: success
Apr 29 13:41:31 bind9-slave named[461]: transfer of '50.168.192.in-addr.arpa/IN' from 192.168.50.31#53: Transfer completed: 1 messages,>Apr 29 13:41:31 bind9-slave named[461]: zone 50.168.192.in-addr.arpa/IN: sending notifies (serial 5)
Comprobamos que el servidor esclavo ha transferido la zona del servidor maestro.
root@bind9-slave:/etc/bind# ls -l /var/cache/bind/
total 16
-rw-r--r-- 1 bind bind 509 Apr 29 13:41 db.192
-rw-r--r-- 1 bind bind 365 Apr 29 13:41 db.example.com
-rw-r--r-- 1 bind bind 821 Apr 29 13:41 managed-keys.bind
-rw-r--r-- 1 bind bind 3200 Apr 29 13:41 managed-keys.bind.jnl
Como podemos ver, los ficheros db.example.com y db.192 han sido transferidos al servidor esclavo.
Prueba de funcionamiento
Si la configuración se ha realizado correctamente, al hacer una consulta a cualquiera de los 2 servidores DNS sobre algún registro de sus zonas, debería devolver la IP del registro correspondiente.
Consulta al servidor DNS maestro sobre zona “example.com”
root@debian12:~# dig @192.168.50.31 webmin.example.com
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.50.31 webmin.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49695
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d5e90da3cfc2c70d01000000662fa52f9763519c676d7c6e (good)
;; QUESTION SECTION:
;webmin.example.com. IN A
;; ANSWER SECTION:
webmin.example.com. 604800 IN A 192.168.50.46
;; Query time: 0 msec
;; SERVER: 192.168.50.31#53(192.168.50.31) (UDP)
;; WHEN: Mon Apr 29 13:48:31 UTC 2024
;; MSG SIZE rcvd: 91
Consulta al servidor DNS maestro sobre zona inversa “50.168.192.in-addr.arpa”
root@debian12:~# dig @192.168.50.31 -x 192.168.50.46
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.50.31 -x 192.168.50.46
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4032
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 23ef3548433dfb1001000000662fa576874fb5c51c147bef (good)
;; QUESTION SECTION:
;46.50.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
46.50.168.192.in-addr.arpa. 604800 IN PTR webmin.example.com.
;; Query time: 0 msec
;; SERVER: 192.168.50.31#53(192.168.50.31) (UDP)
;; WHEN: Mon Apr 29 13:49:42 UTC 2024
;; MSG SIZE rcvd: 115
Consulta al servidor DNS esclavo sobre zona “example.com”
root@debian12:~# dig @192.168.50.15 webmin.example.com
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.50.15 webmin.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27708
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: dab1ad29b1738e3d01000000662fa5a627e6c166ba93ca2a (good)
;; QUESTION SECTION:
;webmin.example.com. IN A
;; ANSWER SECTION:
webmin.example.com. 604800 IN A 192.168.50.46
;; Query time: 0 msec
;; SERVER: 192.168.50.15#53(192.168.50.15) (UDP)
;; WHEN: Mon Apr 29 13:50:30 UTC 2024
;; MSG SIZE rcvd: 91
Consulta al servidor DNS esclavo sobre zona inversa “50.168.192.in-addr.arpa”
root@debian12:~# dig @192.168.50.15 -x 192.168.50.46
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.50.15 -x 192.168.50.46
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37810
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bc977f2c50ba7fd801000000662fa5cb03cb93a3d24de178 (good)
;; QUESTION SECTION:
;46.50.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
46.50.168.192.in-addr.arpa. 604800 IN PTR webmin.example.com.
;; Query time: 0 msec
;; SERVER: 192.168.50.15#53(192.168.50.15) (UDP)
;; WHEN: Mon Apr 29 13:51:07 UTC 2024
;; MSG SIZE rcvd: 115
Como podemos ver, al hacer la consulta al servidor DNS maestro y al servidor DNS esclavo, ambas consultas son respondidas sin problemas.
Con esto ya tendríamos configurado un servidor DNS maestro y esclavo con bind9 en Debian 12.