예시 환경)
도메인: mydomain.com
IP 주소:
11.22.33.44(reverse 33.22.11)
100.101.102.103(reverse 102.101.100)
Secondary Name Server: 202.31.187.220
1. bind 설치
apt update
apt install -y bind9 bind9-utils bind9-dnsutils
2. 디렉토리 생성
mkdir -p /etc/bind/zones
chown -R root:bind /etc/bind/zones
chmod 2750 /etc/bind/zones
3. 설치 파일 작성
vi /etc/bind/named.conf
-----
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.root-hints";
-----
vi /etc/bind/named.conf.local
-----
zone "mydomain.com" {
type master;
file "/etc/bind/zones/db.mydomain.com";
allow-transfer { 202.31.187.220; };
also-notify { 202.31.187.220; };
};
zone "221.170.121.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.33.22.11";
allow-transfer { 202.31.187.220; };
also-notify { 202.31.187.220; };
};
zone "102.101.100.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.119.196.53";
allow-transfer { 202.31.187.220; };
also-notify { 202.31.187.220; };
};
-----
vi /etc/bind/named.conf.options
-----
options {
directory "/var/cache/bind";
recursion no;
allow-query { any; };
// 전역 기본은 차단, 존별로만 허용
allow-transfer { none; };
dnssec-validation auto;
listen-on { any; };
listen-on-v6 { any; };
version "not disclosed";
};
-----
vi /etc/bind/zones/db.mydomain.com
-----
$TTL 300
$ORIGIN mydomain.com.
@ IN SOA ns1.mydomain.com. tech.mydomain.com. (
2026022701 ; Serial (YYYYMMDDnn)
3600 ; Refresh
900 ; Retry
1209600 ; Expire
300 ; Negative Cache TTL
)
; #################################################
; # NS
; #################################################
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
; #################################################
; # A (ns1 / 서비스: 11.22.33.44)
; #################################################
@ IN A 11.22.33.44
ns1 IN A 11.22.33.44
mail IN A 11.22.33.44
cloud IN A 11.22.33.44
ftp IN A 11.22.33.44
hasu0707 IN A 11.22.33.44
imap IN A 11.22.33.44
pop IN A 11.22.33.44
pop3 IN A 11.22.33.44
smtp IN A 11.22.33.44
tech IN A 11.22.33.44
www IN A 11.22.33.44
; #################################################
; # A (ns2: 202.31.187.220)
; #################################################
ns2 IN A 202.31.187.220
; #################################################
; # A (서비스: 100.101.102.103)
; #################################################
local IN A 100.101.102.103
seetrol IN A 100.101.102.103
webdav IN A 100.101.102.103
nas IN A 100.101.102.103
; #################################################
; # MX
; #################################################
@ IN MX 10 mail.mydomain.com.
; #################################################
; # SPF (권장: 루트에 직접 게시)
; #################################################
@ IN TXT "v=spf1 ip4:11.22.33.44 ip4:100.101.102.103 ~all"
_spf IN TXT "v=spf1 ip4:11.22.33.44 ip4:100.101.102.103 ~all"
; #################################################
; # DKIM
; #################################################
mydkim._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFA29832ur89ifq34jfq98fqjhfqoiqfjw98q238u923hjfq239h289q38923rh89235t8qkufCwYmJfmOH7VXuVqUyg1LqFDBzDHptJigJClC6UqympkiA8qADieaCv858fWNiS7kuOJrcN5GhLz9oTfzg+mjBGqbcugExNa3mTcB1gVgJGeVHj8Wbpr2jWr0rCWltwTukRkGE+6J1aY1CNbrmdxtMwBNoS"
"arUp4fk09erbst89h3498fja089jfalkzxdmnva09234902390q342fj093q4gj349sguaegopadfjmaorjb4c2fR6UG6SCLdYXJudfx5X8gVb00LBTi1QadVJ/qhSyPcCs0WQSQIDAQAB" ) ; ----- DKIM key mydkim for mydomain.com
; #################################################
; # DMARC
; #################################################
; rua = 집계 리포트 수신
; ruf = 실패 리포트 수신
; fo=1 = 하나라도 실패하면 리포트
; adkim=s = DKIM strict alignment
; aspf=s = SPF strict alignment
; pct=100 = 100% 적용
_dmarc IN TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:hasu0707@nate.com; fo=1; adkim=s; aspf=s; pct=100"
-----
vi /etc/bind/zones/db.33.22.11
-----
$TTL 300
$ORIGIN 33.22.11.in-addr.arpa.
@ IN SOA ns1.mydomain.com. tech.mydomain.com. (
2026022701
3600
900
1209600
300
)
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
44 IN PTR mail.mydomain.com.
-----
vi /etc/bind/zones/db.102.101.100
-----
$TTL 300
$ORIGIN 102.101.100.in-addr.arpa.
@ IN SOA ns1.mydomain.com. tech.mydomain.com. (
2026022701
3600
900
1209600
300
)
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
103 IN PTR local.mydomain.com.
-----
4. 테스트
named-checkconf
named-checkzone mydomain.com /etc/bind/zones/db.mydomain.com
named-checkzone 33.22.11.in-addr.arpa /etc/bind/zones/db.33.22.11
named-checkzone 102.101.100.in-addr.arpa /etc/bind/zones/db.102.101.100
dig @127.0.0.1 mydomain.com NS +short
dig @127.0.0.1 mail.mydomain.com A +short
dig @127.0.0.1 mydomain.com MX +short
dig @127.0.0.1 mail._domainkey.mydomain.com TXT +short
dig @127.0.0.1 _dmarc.mydomain.com TXT +short
dig @127.0.0.1 -x 11.22.33.44 +short
dig @127.0.0.1 -x 100.101.102.103 +short
5. 재시작
systemctl enable named
systemctl restart named
systemctl status named --no-pager
