larytet · November 7, 2018 15:41
diff --git a/install-bind.diff b/install-bind.diff

 diff --git a/etc/NetworkManager/NetworkManager.conf b/etc/NetworkManager/NetworkManager.conf
 new file mode 100644
 index 0000000..28ab439
 --- /dev/null
 +++ b/etc/NetworkManager/NetworkManager.conf
 @@ -0,0 +1,19 @@
 +# Configuration file for NetworkManager.
 +#
 +# See "man 5 NetworkManager.conf" for details.
 +#
 +# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
 +# snippets. Those snippets override the settings from this main file.
 +#
 +# The files within conf.d/ directory are read in asciibetical order.
 +#
 +# If two files define the same key, the one that is read afterwards will overwrite
 +# the previous one.
 +
 +[main]
 +plugins=ifcfg-rh
 +dns=dnsmasq
 +
 +[logging]
 +#level=DEBUG
 +#domains=ALL
 diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf
 index 71380aa..6a8f3c0 100644
 --- a/etc/dnsmasq.conf
 +++ b/etc/dnsmasq.conf
 @@ -7,7 +7,7 @@
 # Listen on this specific port instead of the standard DNS port
 # (53). Setting this to zero completely disables DNS function,
 # leaving only DHCP and/or TFTP.
 -#port=5353
 +port=53
 
 # The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
 @@ -55,7 +55,7 @@
 # If you don't want dnsmasq to read /etc/resolv.conf or any other
 # file, getting its servers from this file instead (see below), then
 # uncomment this.
 -#no-resolv
 +no-resolv
 
 # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
 # files for changes and re-read them then uncomment this.
 @@ -63,7 +63,9 @@
 
 # Add other name servers here, with domain specs if they are for
 # non-public domains.
 -#server=/localnet/192.168.0.1
 +#server=192.168.67.115
 +server=8.8.8.8
 +server=1.1.1.1
 
 # Example of routing PTR queries to nameservers: this will send all
 # address->name queries for 192.168.3/24 to nameserver 10.1.2.3
 @@ -103,12 +105,14 @@
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
 -#interface=
 +#interface=ens32
 +
 # Or you can specify which interface _not_ to listen on
 #except-interface=
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
 -#listen-address=
 +#listen-address=127.0.0.1,192.168.67.88,0.0.0.0
 +
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.
 @@ -528,6 +532,7 @@
 # addresses in round robin fasion. This facility can be used to
 # load balance the tftp load among a set of servers.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
 +log-facility=/var/log/dnsmasq.log
 
 # Set the limit on DHCP leases, the default is 150
 #dhcp-lease-max=150
 @@ -554,7 +559,7 @@
 #dhcp-script=/bin/echo
 
 # Set the cachesize here.
 -#cache-size=150
 +cache-size=20000
 
 # If you want to disable negative caching, uncomment this.
 #no-negcache
 @@ -650,7 +655,7 @@
 
 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.
 -#log-queries
 +log-queries
 
 # Log lots of extra information about DHCP transactions.
 #log-dhcp
 diff --git a/etc/named.conf b/etc/named.conf
 new file mode 100644
 index 0000000..66ac22f
 --- /dev/null
 +++ b/etc/named.conf
 @@ -0,0 +1,161 @@
 +//
 +// named.conf
 +//
 +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 +// server as a caching only nameserver (as a localhost DNS resolver only).
 +//
 +// See /usr/share/doc/bind*/sample/ for example named configuration files.
 +//
 +// See the BIND Administrator's Reference Manual (ARM) for details about the
 +// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
 +
 +options {
 +       listen-on port 53 { 127.0.0.1; any;};
 +       listen-on-v6 port 53 { ::1; };
 +       directory       "/var/named";
 +       dump-file       "/var/named/data/cache_dump.db";
 +       statistics-file "/var/named/data/named_stats.txt";
 +       memstatistics-file "/var/named/data/named_mem_stats.txt";
 +       allow-query     { localhost; any;};
 +        forwarders {
 +                1.1.1.1;
 +                8.8.8.8;
 +        };
 +       /* 
 +        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 +        - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 +          recursion. 
 +        - If your recursive DNS server has a public IP address, you MUST enable access 
 +          control to limit queries to your legitimate users. Failing to do so will
 +          cause your server to become part of large scale DNS amplification 
 +          attacks. Implementing BCP38 within your network would greatly
 +          reduce such attack surface 
 +       */
 +       recursion yes;
 +
 +       dnssec-enable yes;
 +       dnssec-validation yes;
 +       max-cache-size 2000000000;
 +
 +       /* Path to ISC DLV key */
 +       bindkeys-file "/etc/named.iscdlv.key";
 +
 +       managed-keys-directory "/var/named/dynamic";
 +
 +       pid-file "/run/named/named.pid";
 +       session-keyfile "/run/named/session.key";
 +};
 +
 +logging {
 +    channel default_file {
 +        file "/var/log/named/default.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel general_file {
 +        file "/var/log/named/general.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel database_file {
 +        file "/var/log/named/database.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel security_file {
 +        file "/var/log/named/security.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel config_file {
 +        file "/var/log/named/config.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel resolver_file {
 +        file "/var/log/named/resolver.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel xfer-in_file {
 +        file "/var/log/named/xfer-in.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel xfer-out_file {
 +        file "/var/log/named/xfer-out.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel notify_file {
 +        file "/var/log/named/notify.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel client_file {
 +        file "/var/log/named/client.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel unmatched_file {
 +        file "/var/log/named/unmatched.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel queries_file {
 +        file "/var/log/named/queries.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel network_file {
 +        file "/var/log/named/network.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel update_file {
 +        file "/var/log/named/update.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel dispatch_file {
 +        file "/var/log/named/dispatch.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel dnssec_file {
 +        file "/var/log/named/dnssec.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +    channel lame-servers_file {
 +        file "/var/log/named/lame-servers.log" versions 3 size 5m;
 +        severity dynamic;
 +        print-time yes;
 +    };
 +
 +    category default { default_file; };
 +    category general { general_file; };
 +    category database { database_file; };
 +    category security { security_file; };
 +    category config { config_file; };
 +    category resolver { resolver_file; };
 +    category xfer-in { xfer-in_file; };
 +    category xfer-out { xfer-out_file; };
 +    category notify { notify_file; };
 +    category client { client_file; };
 +    category unmatched { unmatched_file; };
 +    category queries { queries_file; };
 +    category network { network_file; };
 +    category update { update_file; };
 +    category dispatch { dispatch_file; };
 +    category dnssec { dnssec_file; };
 +    category lame-servers { lame-servers_file; };
 +};
 +zone "." IN {
 +       type hint;
 +       file "named.ca";
 +};
 +
 +include "/etc/named.rfc1912.zones";
 +include "/etc/named.root.key";
 +
 diff --git a/etc/resolv.conf b/etc/resolv.conf
 index f6b1eb7..0f905c8 100644
 --- a/etc/resolv.conf
 +++ b/etc/resolv.conf
 @@ -1,4 +1,5 @@
 # Generated by NetworkManager
 search blue.websaas.rnd.qa
 -#nameserver 172.20.20.1
 -nameserver 8.8.8.8
 +#nameserver 172.20.15.1
 +#nameserver 172.20.15.2
 +nameserver 127.0.0.1
 [root@wn3 ~]#

	diff --git a/etc/NetworkManager/NetworkManager.conf b/etc/NetworkManager/NetworkManager.conf
	new file mode 100644
	index 0000000..28ab439
	--- /dev/null
	+++ b/etc/NetworkManager/NetworkManager.conf
	@@ -0,0 +1,19 @@
	+# Configuration file for NetworkManager.
	+#
	+# See "man 5 NetworkManager.conf" for details.
	+#
	+# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
	+# snippets. Those snippets override the settings from this main file.
	+#
	+# The files within conf.d/ directory are read in asciibetical order.
	+#
	+# If two files define the same key, the one that is read afterwards will overwrite
	+# the previous one.
	+
	+[main]
	+plugins=ifcfg-rh
	+dns=dnsmasq
	+
	+[logging]
	+#level=DEBUG
	+#domains=ALL
	diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf
	index 71380aa..6a8f3c0 100644
	--- a/etc/dnsmasq.conf
	+++ b/etc/dnsmasq.conf
	@@ -7,7 +7,7 @@
	# Listen on this specific port instead of the standard DNS port
	# (53). Setting this to zero completely disables DNS function,
	# leaving only DHCP and/or TFTP.
	-#port=5353
	+port=53

	# The following two options make you a better netizen, since they
	# tell dnsmasq to filter out queries which the public DNS cannot
	@@ -55,7 +55,7 @@
	# If you don't want dnsmasq to read /etc/resolv.conf or any other
	# file, getting its servers from this file instead (see below), then
	# uncomment this.
	-#no-resolv
	+no-resolv

	# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
	# files for changes and re-read them then uncomment this.
	@@ -63,7 +63,9 @@

	# Add other name servers here, with domain specs if they are for
	# non-public domains.
	-#server=/localnet/192.168.0.1
	+#server=192.168.67.115
	+server=8.8.8.8
	+server=1.1.1.1

	# Example of routing PTR queries to nameservers: this will send all
	# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
	@@ -103,12 +105,14 @@
	# specified interfaces (and the loopback) give the name of the
	# interface (eg eth0) here.
	# Repeat the line for more than one interface.
	-#interface=
	+#interface=ens32
	+
	# Or you can specify which interface _not_ to listen on
	#except-interface=
	# Or which to listen on by address (remember to include 127.0.0.1 if
	# you use this.)
	-#listen-address=
	+#listen-address=127.0.0.1,192.168.67.88,0.0.0.0
	+
	# If you want dnsmasq to provide only DNS service on an interface,
	# configure it as shown above, and then use the following line to
	# disable DHCP and TFTP on it.
	@@ -528,6 +532,7 @@
	# addresses in round robin fasion. This facility can be used to
	# load balance the tftp load among a set of servers.
	#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
	+log-facility=/var/log/dnsmasq.log

	# Set the limit on DHCP leases, the default is 150
	#dhcp-lease-max=150
	@@ -554,7 +559,7 @@
	#dhcp-script=/bin/echo

	# Set the cachesize here.
	-#cache-size=150
	+cache-size=20000

	# If you want to disable negative caching, uncomment this.
	#no-negcache
	@@ -650,7 +655,7 @@

	# For debugging purposes, log each DNS query as it passes through
	# dnsmasq.
	-#log-queries
	+log-queries

	# Log lots of extra information about DHCP transactions.
	#log-dhcp
	diff --git a/etc/named.conf b/etc/named.conf
	new file mode 100644
	index 0000000..66ac22f
	--- /dev/null
	+++ b/etc/named.conf
	@@ -0,0 +1,161 @@
	+//
	+// named.conf
	+//
	+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
	+// server as a caching only nameserver (as a localhost DNS resolver only).
	+//
	+// See /usr/share/doc/bind*/sample/ for example named configuration files.
	+//
	+// See the BIND Administrator's Reference Manual (ARM) for details about the
	+// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
	+
	+options {
	+ listen-on port 53 { 127.0.0.1; any;};
	+ listen-on-v6 port 53 { ::1; };
	+ directory "/var/named";
	+ dump-file "/var/named/data/cache_dump.db";
	+ statistics-file "/var/named/data/named_stats.txt";
	+ memstatistics-file "/var/named/data/named_mem_stats.txt";
	+ allow-query { localhost; any;};
	+ forwarders {
	+ 1.1.1.1;
	+ 8.8.8.8;
	+ };
	+ /*
	+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
	+ recursion.
	+ - If your recursive DNS server has a public IP address, you MUST enable access
	+ control to limit queries to your legitimate users. Failing to do so will
	+ cause your server to become part of large scale DNS amplification
	+ attacks. Implementing BCP38 within your network would greatly
	+ reduce such attack surface
	+ */
	+ recursion yes;
	+
	+ dnssec-enable yes;
	+ dnssec-validation yes;
	+ max-cache-size 2000000000;
	+
	+ /* Path to ISC DLV key */
	+ bindkeys-file "/etc/named.iscdlv.key";
	+
	+ managed-keys-directory "/var/named/dynamic";
	+
	+ pid-file "/run/named/named.pid";
	+ session-keyfile "/run/named/session.key";
	+};
	+
	+logging {
	+ channel default_file {
	+ file "/var/log/named/default.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel general_file {
	+ file "/var/log/named/general.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel database_file {
	+ file "/var/log/named/database.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel security_file {
	+ file "/var/log/named/security.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel config_file {
	+ file "/var/log/named/config.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel resolver_file {
	+ file "/var/log/named/resolver.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel xfer-in_file {
	+ file "/var/log/named/xfer-in.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel xfer-out_file {
	+ file "/var/log/named/xfer-out.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel notify_file {
	+ file "/var/log/named/notify.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel client_file {
	+ file "/var/log/named/client.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel unmatched_file {
	+ file "/var/log/named/unmatched.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel queries_file {
	+ file "/var/log/named/queries.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel network_file {
	+ file "/var/log/named/network.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel update_file {
	+ file "/var/log/named/update.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel dispatch_file {
	+ file "/var/log/named/dispatch.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel dnssec_file {
	+ file "/var/log/named/dnssec.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+ channel lame-servers_file {
	+ file "/var/log/named/lame-servers.log" versions 3 size 5m;
	+ severity dynamic;
	+ print-time yes;
	+ };
	+
	+ category default { default_file; };
	+ category general { general_file; };
	+ category database { database_file; };
	+ category security { security_file; };
	+ category config { config_file; };
	+ category resolver { resolver_file; };
	+ category xfer-in { xfer-in_file; };
	+ category xfer-out { xfer-out_file; };
	+ category notify { notify_file; };
	+ category client { client_file; };
	+ category unmatched { unmatched_file; };
	+ category queries { queries_file; };
	+ category network { network_file; };
	+ category update { update_file; };
	+ category dispatch { dispatch_file; };
	+ category dnssec { dnssec_file; };
	+ category lame-servers { lame-servers_file; };
	+};
	+zone "." IN {
	+ type hint;
	+ file "named.ca";
	+};
	+
	+include "/etc/named.rfc1912.zones";
	+include "/etc/named.root.key";
	+
	diff --git a/etc/resolv.conf b/etc/resolv.conf
	index f6b1eb7..0f905c8 100644
	--- a/etc/resolv.conf
	+++ b/etc/resolv.conf
	@@ -1,4 +1,5 @@
	# Generated by NetworkManager
	search blue.websaas.rnd.qa
	-#nameserver 172.20.20.1
	-nameserver 8.8.8.8
	+#nameserver 172.20.15.1
	+#nameserver 172.20.15.2
	+nameserver 127.0.0.1
	[root@wn3 ~]#