Product SiteDocumentation Site

11.2. BIND

本章は Fedora に含まれる DNS サーバーである BIND (Berkeley Internet Name Domain) を取り扱います。その設定ファイルの構造に焦点を当て、ローカルおよびリモートで管理する方法について説明しています。

11.2.1. named サービスの設定

named サービスが起動するとき、表11.1「named サービス設定ファイル」において説明されているように、ファイルから設定が読み込まれます。
表11.1 named サービス設定ファイル
パス 説明
/etc/named.conf 主要な設定ファイル。
/etc/named/ 主要な設定ファイルから取り込まれる設定ファイルのための補助ディレクトリ。

The configuration file consists of a collection of statements with nested options surrounded by opening and closing curly brackets (that is, { and }). Note that when editing the file, you have to be careful not to make any syntax error, otherwise the named service will not start. A typical /etc/named.conf file is organized as follows:
statement-1 ["statement-1-name"] [statement-1-class] {
  option-1;
  option-2;
  option-N;
};
statement-2 ["statement-2-name"] [statement-2-class] {
  option-1;
  option-2;
  option-N;
};
statement-N ["statement-N-name"] [statement-N-class] {
  option-1;
  option-2;
  option-N;
};

chroot 環境における BIND の実行

If you have installed the bind-chroot package, the BIND service will run in the /var/named/chroot environment. In that case, the initialization script will mount the above configuration files using the mount --bind command, so that you can manage the configuration outside this environment.

11.2.1.1. 一般的なステートメントのタイプ

The following types of statements are commonly used in /etc/named.conf:
acl
acl (Access Control List) ステートメントによりホストのグループを定義できます。それにより、ネームサーバーへのアクセスを許可および拒否できます。これは以下の形式をとります:
acl acl-name {
  match-element;
  ...
};
The acl-name statement name is the name of the access control list, and the match-element option is usually an individual IP address (such as 10.0.1.1) or a CIDR network notation (for example, 10.0.1.0/24). For a list of already defined keywords, see 表11.2「事前定義済みアクセス制御リスト」.
表11.2 事前定義済みアクセス制御リスト
キーワード 説明
any すべての IP アドレスに一致します。
localhost ローカルシステムにおいて使用中のすべての IP アドレスに一致します。
localnets ローカルシステムが接続されているすべてのネットワークにある IP アドレスに一致します。
none どの IP アドレスにも一致しません。

The acl statement can be especially useful with conjunction with other statements such as options. 例11.1「オプションと併用した ACL の使用」 defines two access control lists, black-hats and red-hats, and adds black-hats on the blacklist while granting red-hats a normal access.
例11.1 オプションと併用した ACL の使用
acl black-hats {
  10.0.2.0/24;
  192.168.0.0/24;
  1234:5678::9abc/24;
};
acl red-hats {
  10.0.1.0/24;
};
options {
  blackhole { black-hats; };
  allow-query { red-hats; };
  allow-query-cache { red-hats; };
};

include
The include statement allows you to include files in the /etc/named.conf, so that potentially sensitive data can be placed in a separate file with restricted permissions. It takes the following form:
include "file-name"
The file-name statement name is an absolute path to a file.
例11.2 /etc/named.conf へのファイルの取り込み
include "/etc/named.rfc1912.zones";

options
The options statement allows you to define global server configuration options as well as to set defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more. It takes the following form:
options {
  option;
  ...
};
For a list of frequently used option directives, see 表11.3「一般的に使用されるオプション」 below.
表11.3 一般的に使用されるオプション
オプション 説明
allow-query ネームサーバーに権威リソースレコードを問い合わせできるホストを指定します。アクセス制御リスト、IP アドレスの組、または CIDR 表記のネットワークを受け付けます。すべてのホストがデフォルトで許可されます。
allow-query-cache ネームサーバーに再帰問い合わせのような権威のないデータを問い合わせできるホストを指定します。localhost および localnets のみがデフォルトで許可されます。
blackhole ネームサーバーに問い合わせを許可されないホストを指定します。このオプションは特定のホストやネットワークがサーバーをリクエストであふれさせるときに使われるべきです。デフォルトのオプションは none です。
directory named サービスの作業ディレクトリを指定します。デフォルトオプションは /var/named/ です。
dnssec-enable DNSSEC 関連リソースレコードを返すかどうかを指定します。デフォルトオプションは yes です。
dnssec-validation Specifies whether to prove that resource records are authentic via DNSSEC. The default option is yes.
forwarders Specifies a list of valid IP addresses for nameservers to which the requests should be forwarded for resolution.
forward
Specifies the behavior of the forwarders directive. It accepts the following options:
  • first — The server will query the nameservers listed in the forwarders directive before attempting to resolve the name on its own.
  • only — When unable to query the nameservers listed in the forwarders directive, the server will not attempt to resolve the name on its own.
listen-on 問い合わせを受け付ける IPv4 ネットワークインターフェースを指定します。ゲートウェイとしても動作する DNS サーバーにおいて、単一のネットワークのみから問い合わせを受け付けるために、このオプションを使用できます。すべての IPv4 インターフェースがデフォルトで使用されます。
listen-on-v6 問い合わせを受け付ける IPv6 ネットワークインターフェースを指定します。ゲートウェイとしても動作する DNS サーバーにおいて、単一のネットワークのみから問い合わせを受け付けるために、このオプションを使用できます。すべての IPv6 インターフェースがデフォルトで使用されます。
max-cache-size サーバーキャッシュのために使用されるメモリーの最大量を指定します。制限に達するとき、制限を越えないように、サーバーはレコードを早めに期限切れさせます。複数のビューを持つサーバーにおいては、制限は各ビューのキャッシュにそれぞれ適用されます。デフォルトのオプションは 32M です。
notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
  • yes — The server will notify all secondary nameservers.
  • no — The server will not notify any secondary nameserver.
  • master-only — The server will notify primary server for the zone only.
  • explicit — The server will notify only the secondary servers that are specified in the also-notify list within a zone statement.
pid-file Specifies the location of the process ID file created by the named service.
recursion Specifies whether to act as a recursive server. The default option is yes.
statistics-file Specifies an alternate location for statistics files. The /var/named/named.stats file is used by default.

Restrict recursive servers to selected clients only

To prevent distributed denial of service (DDoS) attacks, it is recommended that you use the allow-query-cache option to restrict recursive DNS services for a particular subset of clients only.
Refer to the BIND 9 Administrator Reference Manual referenced in 「インストールされているドキュメント」, and the named.conf manual page for a complete list of available options.
例11.3 Using the options statement
options {
  allow-query       { localhost; };
  listen-on port    53 { 127.0.0.1; };
  listen-on-v6 port 53 { ::1; };
  max-cache-size    256M;
  directory         "/var/named";
  statistics-file   "/var/named/data/named_stats.txt";

  recursion         yes;
  dnssec-enable     yes;
  dnssec-validation yes;
};

zone
The zone statement allows you to define the characteristics of a zone, such as the location of its configuration file and zone-specific options, and can be used to override the global options statements. It takes the following form:
zone zone-name [zone-class] {
  option;
  ...
};
The zone-name attribute is the name of the zone, zone-class is the optional class of the zone, and option is a zone statement option as described in 表11.4「一般的に使用されるオプション」.
The zone-name attribute is particularly important, as it is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file. For example, if a zone statement defines the namespace for example.com, use example.com as the zone-name so that it is placed at the end of hostnames within the example.com zone file.
For more information about zone files, refer to 「ゾーンファイルの編集」.
表11.4 一般的に使用されるオプション
オプション 説明
allow-query Specifies which clients are allowed to request information about this zone. This option overrides global allow-query option. All query requests are allowed by default.
allow-transfer Specifies which secondary servers are allowed to request a transfer of the zone's information. All transfer requests are allowed by default.
allow-update
Specifies which hosts are allowed to dynamically update information in their zone. The default option is to deny all dynamic update requests.
Note that you should be careful when allowing hosts to update information about their zone. Do not set IP addresses in this option unless the server is in the trusted network. Instead, use TSIG key as described in 「Transaction SIGnatures (TSIG)」.
file Specifies the name of the file in the named working directory that contains the zone's configuration data.
masters Specifies from which IP addresses to request authoritative zone information. This option is used only if the zone is defined as type slave.
notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
  • yes — The server will notify all secondary nameservers.
  • no — The server will not notify any secondary nameserver.
  • master-only — The server will notify primary server for the zone only.
  • explicit — The server will notify only the secondary servers that are specified in the also-notify list within a zone statement.
type
Specifies the zone type. It accepts the following options:
  • delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
  • forward — Forwards all requests for information about this zone to other nameservers.
  • hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
  • master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
  • slave — Designates the nameserver as a slave server for this zone. Master server is specified in masters directive.

Most changes to the /etc/named.conf file of a primary or secondary nameserver involve adding, modifying, or deleting zone statements, and only a small subset of zone statement options is usually needed for a nameserver to work efficiently.
In 例11.4「A zone statement for a primary nameserver」, the zone is identified as example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also allows only a secondary nameserver (192.168.0.2) to transfer the zone.
例11.4 A zone statement for a primary nameserver
zone "example.com" IN {
  type master;
  file "example.com.zone";
  allow-transfer { 192.168.0.2; };
};

A secondary server's zone statement is slightly different. The type is set to slave, and the masters directive is telling named the IP address of the master server.
In 例11.5「A zone statement for a secondary nameserver」, the named service is configured to query the primary server at the 192.168.0.1 IP address for information about the example.com zone. The received information is then saved to the /var/named/slaves/example.com.zone file. Note that you have to put all slave zones to /var/named/slaves directory, otherwise the service will fail to transfer the zone.
例11.5 A zone statement for a secondary nameserver
zone "example.com" {
  type slave;
  file "slaves/example.com.zone";
  masters { 192.168.0.1; };
};

11.2.1.2. 他のステートメント形式

The following types of statements are less commonly used in /etc/named.conf:
controls
The controls statement allows you to configure various security requirements necessary to use the rndc command to administer the named service.
rndc ユーティリティとその使用法の詳細は「rndc ユーティリティの使用法」を参照してください。
key
The key statement allows you to define a particular key by name. Keys are used to authenticate various actions, such as secure updates or the use of the rndc command. Two options are used with key:
  • algorithm algorithm-name — The type of algorithm to be used (for example, hmac-md5).
  • secret "key-value" — The encrypted key.
rndc ユーティリティとその使用法の詳細は「rndc ユーティリティの使用法」を参照してください。
logging
The logging statement allows you to use multiple types of logs, so called channels. By using the channel option within the statement, you can construct a customized type of log with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when the named service is restarted.
By default, named sends standard messages to the rsyslog daemon, which places them in /var/log/messages. Several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
Customizing the logging process can be a very detailed process and is beyond the scope of this chapter. For information on creating custom BIND logs, refer to the BIND 9 Administrator Reference Manual referenced in 「インストールされているドキュメント」.
server
The server statement allows you to specify options that affect how the named service should respond to remote nameservers, especially with regard to notifications and zone transfers.
The transfer-format option controls the number of resource records that are sent with each message. It can be either one-answer (only one resource record), or many-answers (multiple resource records). Note that while the many-answers option is more efficient, it is not supported by older versions of BIND.
trusted-keys
The trusted-keys statement allows you to specify assorted public keys used for secure DNS (DNSSEC). Refer to 「DNS Security Extensions (DNSSEC)」 for more information on this topic.
view
The view statement allows you to create special views depending upon which network the host querying the nameserver is on. This allows some hosts to receive one answer regarding a zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.
Multiple views can be used as long as their names are unique. The match-clients option allows you to specify the IP addresses that apply to a particular view. If the options statement is used within a view, it overrides the already configured global options. Finally, most view statements contain multiple zone statements that apply to the match-clients list.
Note that the order in which the view statements are listed is important, as the first statement that matches a particular client's IP address is used. For more information on this topic, refer to 「複数ビュー」.

11.2.1.3. コメントタグ

Additionally to statements, the /etc/named.conf file can also contain comments. Comments are ignored by the named service, but can prove useful when providing additional information to a user. The following are valid comment tags:
//
// 文字列の後ろにあるテキストは行末までがコメントとみなされます。たとえば:
notify yes;  // notify all secondary nameservers
#
# 記号の後ろにあるテキストは行末までがコメントとみなされます。たとえば:
notify yes;  # notify all secondary nameservers
/**/
/**/ に囲まれたテキストのブロックはコメントとみなされます。たとえば:
notify yes;  /* notify all secondary nameservers */