Install DNS Server Dan Keamanannya
Written by pnyet
Ok, selanjutnya langsung pada how to instaall DNS server oya disini saya menggunakan CentOS 5.2 dan BIND 9.5P2 sebagai DNS server.
Pertama periksa apakah bind sudha terinstall, hapus user named bila ada
# for a in $(rpm -qa | grep ^bind); do rpm -e --nodeps $a; done
# userdel -r named
Hapus direktori named
# rm -rf /var/named
Download bind, sebelumnya kunjungi link download ini dan pilih source .tar.gz
# wget http://ftp.isc.org/isc/bind9/9.5.0-P2/bind-9.5.0-P2.tar.gz
Ekstrak file source dari bind:
# tar -xzvf bind-9.2.2rc1.tar.gz
Masuk ke direktori hasil ekstrak tadi:
# cd bind-9..5.0-P2
Kemudia konfigurasi file hasil ekstrak tersebut:
# ./configure --prefix=/usr/local/named
# make
# make install
# adduser -d /var/named -s /bin/false named
Kemudian masuk ke direktori user named dan download file named.root yag berisi informasi tentang root server:
# cd /var/named
# wget http://www.internic.net/zones/named.root
Selanjutnya buat file untuk reverse PTR localhost, disini saya menggunakan vi editor [my favorite]
# vi db.127.0.0
Isi file db.127.0.0 adalah :
$TTL 86400
@ IN SOA localhost. root.localhost. (
2003021500 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expiry
86400 ) ; minimum
IN NS localhost.
1 IN PTR localhost.
Format serial adalah yy/mm/dd/hh
# cp db.127.0.0 db.202.123.234
Next.... buat file yang berisi tentang zone dari localhost:
# vi db.localhost
Isi dari file db.localhost adalah :
$TTL 86400
$ORIGIN localhost.
@ IN SOA localhost. root.localhost. (
2003021500 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expiry
86400 ) ; minimum
IN NS localhost.
IN A 127.0.0.1
Buat file db.bind
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2008102100 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I.:)"
Buat sebuah deirktori untuk menyimpan file konfigurasi dari demon program BIND:
# mkdir /usr/local/named/etc
Buat file /usr/local/named/etc/named.conf yang akan dijadikan sebagai file konfigurasi dari program BIND, dibawah ini saya contohkan file named.conf yang saya gunakan. Ini berdasarkan dari beberapa referensi yang saya temukan di internet:
# vi /usr/local/named/etc/named.conf
Isi dari file named.conf:
acl "xfer" {
202.123.234.100/32; // secondary name server
};
acl "trusted" {
// Masukan ip yang diijinkan melakukan recursive query
// tambah sesuai kebutuhan
202.123.234.0/24; //Example
192.168.0.0/24; //LAN
localhost; //Server ini
};
acl "bogon" {
// Hapus atau comment LAN anda dari acl bogon ini
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
192.0.2.0/24;
// LAN saya 192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
category lame-servers { null; };
category edns-disabled { null; };
channel default_syslog {
syslog local2;
severity debug;
};
channel audit_log {
file "named_audit.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
options {
directory "/var/named";
allow-transfer { "xfer"; };
pid-file "named.pid";
statistics-file "named.stats";
memstatistics-file "named.memstats";
dump-file "named.dump";
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
allow-query { trusted; };
blackhole { bogon; };
};
view "internal-in" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
allow-query { any; };
allow-transfer { none; };
};
//Tambahkan domain lokal diarea ini
};
view "external-in" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "db.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};
zone "234.123.202.in-addr.arpa" IN {
type master;
file "db.202.123.234";
allow-query { any; };
};
};
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
allow-query { trusted; };
allow-transfer { none;};
};
};
key "rndc-key" {
algorithm hmac-md5;
secret "vukamQmCQ9m21eQx/kChqg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
#End of named.conf
Note: Perhatikan tag pembuka { dan penutupnya };
Selanjutnya generate file konfigurasi yang akan digunakan oleh program rndc, yang perlu diingat adalah hasil dari perintah rndc-confgen tidak selalu sama, sebaiknya diperhatikan.
# /usr/local/named/sbin/rndc-confgen
Kemudian copy paste dari asil perintah diatas mulai dari ibaris "Start of rndc.conf" sampai dengan baris "End of rndc.conf" dan simpan pada direktori dan nama file "/usr/local/named/etc/rndc.conf"
Selanjutnya copy paste lagi mulai dari baris "rndc-key" sampai pada baris paling bawah atau "#End named.conf" ke /usr/local/named/etc/named.conf dan jangan lupa menghilangkan tanda # kecuali pada "#End named.conf" karena yang ini bukan termasuk dalam script konfigurasi atau hanya bersifat menerangkan. Ok, dibawah ini adalah contoh dari langkah-langkah diatas:
Isi dari file /usr/local/named/etc/rndc.conf:
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "vukamQmCQ9m21eQx/kChqg==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
Sedangkan pada file /usr/local/named/etc/named.conf ditambahkan:
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "vukamQmCQ9m21eQx/kChqg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
Next....
# /usr/local/named/sbin/rndc-confgen > confgen.tmp
# grep -v "^#" confgen.tmp > /usr/local/named/etc/rndc.conf
#Grep "^#" confgen.tmp | sed 1.3d | sed -e "s/\#//g" | sed -e "s/END onf named.conf//g">> /usr/local/named/etc/named.conf
# rm -rf confgen.tmp
Langkah selanjutnya adalan mengubah kepemilikan home direktori dari user named, kemudian menjalankan daemon dari program BIND:
# chown -R named.named /var/named
Jalankan BIND:
# /usr/local/named/sbin/named -u named -c /usr/local/named/etc/named.conf
Jika sukses anda bisa melihat pada file /var/log/messages kira-kira seperti berikut:
# tail -f /var/log/messages
starting BIND 9.2.2rc1 -u named -c /usr/local/named/etc/named.conf
using 1 CPU
loading configuration from '/usr/local/named/etc/named.conf'
no IPv6 interfaces found
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface eth0, 10.126.24.1#53
command channel listening on 127.0.0.1#953
zone 17.195.124.in-addr.arpa/IN: loaded serial 2003021500
zone 0.0.127.in-addr.arpa/IN: loaded serial 2003021500
zone localhost/IN: loaded serial 2003021500
running
Tambahkan perintah "/usr/local/named/sbin/named iu named -c /usr/local/named/etc/named.conf" pada rc.local
root@ns1~]# echo ./usr/local/named/sbin/named -u named -c /usr/local/named/etc/named.conf. >> /etc/rc.local
Kemudian set resolver agar menggunakan name server localhost:
# echo "nameserver 127.0.0.1" > /etc/resolv.conf
Testing query menggunakan name server localhost dengan perintah host :
# host 127.0.0.1
1.0.0.127.in-addr.arpa domain name pointer localhost.
# host localhost
localhost has address 127.0.0.1
Dari semua diatas dns server telah siap untuk digunakan, ingat!! Ini bukan karya pribadi saya melainkan dari beberapa sumber yang telah saya aplikasikan, adapun referensi sebagai berikut:
• Komunitas FreeBSD Indonesia
• Kecoak Elektronik
• Layangan.com
1 komentar:
Are you facing trouble while signing in Bithumb ID? Do you want to troubleshoot the error immediately but you have no way of doing it? Well, under such situations, you can approach the well skilled experts who can be reached from any corner of the globe by dialing cost-free Bithumb Support Number at 1-800-665-6722 and get ultimate solution related to the ID sign error from the dedicated professionals. You can get in touch with them as per your convenience and requirements.Visit website:- http://www.cryptophonesupport.com/exchange/bithumb
Posting Komentar