우분투 22.04에서 BIND9를 설치하고 설정하는 방법

우분투 22.04에서 BIND9를 설치하고 설정하는 방법

테스트 환경

$ lsb_release -d
Description:    Ubuntu 22.04.2 LTS

BIND9 설치

패키지 목록 업데이트

sudo apt update

BIND9 및 유틸리티 설치

sudo apt install -y bind9 bind9-dnsutils bind9-utils

우분투BIND9

named -v

BIND 9.18.30-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) <id:>

---

named -V

BIND 9.18.30-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) <id:>
running on Linux x86_64 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025
built by make with  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-AB1uwX/bind9-9.18.30=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 11.4.0
compiled with OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
linked to OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

---

BIND9 기본 설정

• /etc/bind/named.conf : 메인 설정 파일
• /etc/bind/named.conf.options : 서버 동작 옵션
• /etc/bind/named.conf.local : 로컬 존(zone) 정의

named.conf 설정

vim /etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.logging.conf";

named.conf.options 설정

vim /etc/bind/named.conf.options

options {
        listen-on { any; };
        listen-on-v6 { any; };

        directory "/var/cache/bind";

        allow-transfer { none; };
        allow-update { none; };
        allow-query { any; };

        recursion yes;

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        dnssec-validation auto;
};

로깅 활성화

named.logging.conf 설정

vim /etc/bind/named.logging.conf

---

logging {
        channel "default_syslog" {
                // Send most of the named messages to syslog.
                syslog local2;
                severity debug;
        };
        channel "default_syslog" {
                file "/var/log/named/default.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "general_syslog" {
                file "/var/log/named/general.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "database_syslog" {
                file "/var/log/named/database.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "security_syslog" {
                file "/var/log/named/security.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "config_syslog" {
                file "/var/log/named/config.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "resolver_syslog" {
                file "/var/log/named/resolver.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "xfer-in_syslog" {
                file "/var/log/named/xfer-in.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "xfer-out_syslog" {
                file "/var/log/named/xfer-out.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "notify_syslog" {
                file "/var/log/named/notify.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "client_syslog" {
                file "/var/log/named/client.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "unmatched_syslog" {
                file "/var/log/named/unmatched.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "network_syslog" {
                file "/var/log/named/network.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "update_syslog" {
                file "/var/log/named/update.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "update-security_syslog" {
                file "/var/log/named/update-security.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "queries_syslog" {
                file "/var/log/named/queries.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "query-errors_syslog" {
                file "/var/log/named/query-errors.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "dispatch_syslog" {
                file "/var/log/named/dispatch.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "dnssec_syslog" {
                file "/var/log/named/dnssec.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "lame-servers_syslog" {
                file "/var/log/named/lame-servers.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "delegation-only_syslog" {
                file "/var/log/named/delegation-only.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel "edns-disabled_syslog" {
                file "/var/log/named/edns-disabled.log" versions 3 size 20m;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default { default_syslog; };
        category general { general_syslog; };
        category database { database_syslog; };
        category security { security_syslog; };
        category config { config_syslog; };
        category resolver { resolver_syslog; };
        category xfer-in { xfer-in_syslog; };
        category xfer-out { xfer-out_syslog; };
        category notify { notify_syslog; };
        category client { client_syslog; };
        category unmatched { unmatched_syslog; };
        category network { network_syslog; };
        category update { update_syslog; };
        category update-security { update-security_syslog; };
        category queries { queries_syslog; };
        category query-errors { query-errors_syslog; };
        category dispatch { dispatch_syslog; };
        category dnssec { dnssec_syslog; };
        category lame-servers { lame-servers_syslog; };
        category delegation-only { delegation-only_syslog; };
        category edns-disabled { edns-disabled_syslog; };
};

---

로그 디렉토리 생성 및 권한 설정

sudo mkdir /var/log/named
sudo chown bind:bind /var/log/named
sudo chmod 755 /var/log/named

728x90

존 파일 생성

정방향 존 파일(db.example.com)

---

sudo vim /etc/bind/db.example.com

$TTL    86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                              2025050901 ; Serial
                              3600       ; Refresh
                              1800       ; Retry
                              604800     ; Expire
                              86400 )    ; Minimum TTL
;
        IN      NS      ns1.example.com.
        IN      A       192.168.1.100
ns1     IN      A       192.168.1.100
www     IN      A       192.168.1.100

---

역방향 존 파일(db.192.168.1)

---

sudo vim /etc/bind/db.192.168.1

$TTL    86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                              2025050901 ; Serial
                              3600       ; Refresh
                              1800       ; Retry
                              604800     ; Expire
                              86400 )    ; Minimum TTL
;
        IN      NS      ns1.example.com.
100     IN      PTR     ns1.example.com.
100     IN      PTR     www.example.com.

---

파일 권한 및 소유자 확인

sudo chown bind:bind /etc/bind/db.example.com /etc/bind/db.192.168.1
sudo chmod 644 /etc/bind/db.example.com /etc/bind/db.192.168.1

설정 파일 검증

구문 검사

sudo named-checkconf /etc/bind/named.conf

존 파일 검사

sudo named-checkzone example.com /etc/bind/db.example.com

BIND9 서비스 시작 및 활성화

부팅 시 자동 시작

sudo systemctl enable --now named

서비스 재시작

sudo systemctl restart named

상태 확인

sudo systemctl status named

DNS 서버 테스트

로컬 테스트

dig @127.0.0.1 example.com

클라이언트 테스트

nslookup example.com

 

우분투 22.04에서 BIND9를 설치하고 기본 DNS 서버로 설정할 수 있습니다.

 

옵션 { 청취 {누구; }; 청취 -V6 {누구; }; 디렉토리 "/var/cache/bind"; 허용 전송 {없음; }; 허용 업데이트 {없음; }; 허용 쿼리 {누구; }; 재귀 예; 전달자 { 8.8.8.8; 8.8.4.4; }; DNSSEC- 검증 자동; };