Photo by
mamezouya
【Linux】 NTPサーバーからインターネット上の上位NTPサーバー への再帰問い合わせの例
作業ログ
DNS(Bind)
NTPサーバ
Bindのインストール
[root@bind ~]# yum install bind/etc/named.conf ファイルの編集
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 // See the BIND Administrator's Reference Manual (ARM) for details about the
10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
11
12 options {
13 listen-on port 53 { 127.0.0.1; 192.168.3.10}; # NTPサーバのIPアドレス
14 listen-on-v6 port 53 { ::1; };
15 directory "/var/named";
16 dump-file "/var/named/data/cache_dump.db";
17 statistics-file "/var/named/data/named_stats.txt";
18 memstatistics-file "/var/named/data/named_mem_stats.txt";
19 recursing-file "/var/named/data/named.recursing";
20 secroots-file "/var/named/data/named.secroots";
21 allow-query { localhost; 192.168.3.0/24 }; # 許可するネットワークアドレス
22 forwarders { 8.8.8.8; }; # 再帰問い合わせ先を指定
23
24 /*
25 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
26 - If you are building a RECURSIVE (caching) DNS server, you need to enable
27 recursion.
28 - If your recursive DNS server has a public IP address, you MUST enable access
29 control to limit queries to your legitimate users. Failing to do so will
30 cause your server to become part of large scale DNS amplification
31 attacks. Implementing BCP38 within your network would greatly
32 reduce such attack surface
33 */
34 recursion yes; # 再帰問い合わせの許可
35
36 dnssec-enable yes;
37 dnssec-validation yes;
38
39 /* Path to ISC DLV key */
40 bindkeys-file "/etc/named.root.key";
41
42 managed-keys-directory "/var/named/dynamic";
43
44 pid-file "/run/named/named.pid";
45 session-keyfile "/run/named/session.key";
再起動
[root@bind ~]# systemctl restart named
[root@bind ~]# systemctl status namedNTPサーバー を使って動作確認
getentコマンド で名前解決
[root@honban ~]$ getent hosts ntp.nict.go.jp
133.243.238.163 ntp.nict.go.jp
133.243.238.243 ntp.nict.go.jp
133.243.238.164 ntp.nict.go.jp
133.243.238.244 ntp.nict.go.jp
[root@honban ~]$
/etc/chrony.confの編集
1 # Use public servers from the pool.ntp.org project.
2 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
3 #server 0.centos.pool.ntp.org iburst
4 #server 1.centos.pool.ntp.org iburst
5 #server 2.centos.pool.ntp.org iburst
6 #server 3.centos.pool.ntp.org iburst
7 #server ntp.nict.jp iburst
8 #server ntp.jst.mfeed.ad.jp iburst
9 pool ntp.nict.jp iburst # 名前解決の成功したドメインを入れる
10
11 # Record the rate at which the system clock gains/losses time.
12 driftfile /var/lib/chrony/drift
13
14 # Allow the system clock to be stepped in the first three updates
15 # if its offset is larger than 1 second.
16 makestep 1.0 3
17
Chronyを再起動
[root@honban ~]$ systemctl restart chronyd時刻同期のステータスを確認
[root@honban ~]$ chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ntp-b2.nict.go.jp 1 6 17 13 -1904us[+1946us] +/- 20ms
^? ntp-a3.nict.go.jp 0 6 0 - +0ns[ +0ns] +/- 0ns
^+ ntp-a2.nict.go.jp 1 6 17 13 +7816us[ +12ms] +/- 9318us
^* ntp-k1.nict.jp 1 6 17 13 -3680us[ +171us] +/- 26ms
[root@honban ~]$ 「*」があるので無事に FQDNを名前解決 した上で同期が完了している。
よろしければサポートお願いします!よりいい情報を発信します。