【Linux】 NTPサーバーからインターネット上の上位NTPサーバー への再帰問い合わせの例

作業ログ

DNS(Bind）

NTPサーバ

Bindのインストール

[root@bind ~]# yum install bind

/etc/named.conf ファイルの編集

 　　　1 //
      2 // named.conf
      3 //
      4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
      5 // server as a caching only nameserver (as a localhost DNS resolver only).
      6 //
      7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
      8 //
      9 // See the BIND Administrator's Reference Manual (ARM) for details about the
     10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
     11 
     12 options {
     13    listen-on port 53 { 127.0.0.1; 192.168.3.10};  # NTPサーバのIPアドレス
     14    listen-on-v6 port 53 { ::1; };
     15    directory   "/var/named";
     16    dump-file   "/var/named/data/cache_dump.db";
     17    statistics-file "/var/named/data/named_stats.txt";
     18    memstatistics-file "/var/named/data/named_mem_stats.txt";
     19    recursing-file  "/var/named/data/named.recursing";
     20    secroots-file   "/var/named/data/named.secroots";
     21    allow-query     { localhost; 192.168.3.0/24 }; # 許可するネットワークアドレス
     22    forwarders      { 8.8.8.8; }; # 再帰問い合わせ先を指定
     23    
     24    /* 
     25     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     26     - If you are building a RECURSIVE (caching) DNS server, you need to enable
     27       recursion. 
     28     - If your recursive DNS server has a public IP address, you MUST enable access
     29       control to limit queries to your legitimate users. Failing to do so will
     30       cause your server to become part of large scale DNS amplification
     31       attacks. Implementing BCP38 within your network would greatly
     32       reduce such attack surface
     33    */
     34    recursion yes; # 再帰問い合わせの許可
     35    
     36    dnssec-enable yes;
     37    dnssec-validation yes;
     38    
     39    /* Path to ISC DLV key */
     40    bindkeys-file "/etc/named.root.key";
     41    
     42    managed-keys-directory "/var/named/dynamic";
     43    
     44    pid-file "/run/named/named.pid";
     45    session-keyfile "/run/named/session.key";

再起動

[root@bind ~]# systemctl restart named
[root@bind ~]# systemctl status named

NTPサーバー を使って動作確認

getentコマンド で名前解決

[root@honban ~]$ getent hosts ntp.nict.go.jp
133.243.238.163 ntp.nict.go.jp
133.243.238.243 ntp.nict.go.jp
133.243.238.164 ntp.nict.go.jp
133.243.238.244 ntp.nict.go.jp
[root@honban ~]$ 

/etc/chrony.confの編集

1 # Use public servers from the pool.ntp.org project.
      2 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
      3 #server 0.centos.pool.ntp.org iburst
      4 #server 1.centos.pool.ntp.org iburst
      5 #server 2.centos.pool.ntp.org iburst
      6 #server 3.centos.pool.ntp.org iburst
      7 #server ntp.nict.jp iburst
      8 #server ntp.jst.mfeed.ad.jp iburst
      9 pool ntp.nict.jp iburst　　# 名前解決の成功したドメインを入れる
     10 
     11 # Record the rate at which the system clock gains/losses time.
     12 driftfile /var/lib/chrony/drift
     13 
     14 # Allow the system clock to be stepped in the first three updates
     15 # if its offset is larger than 1 second.
     16 makestep 1.0 3
     17 

Chronyを再起動

[root@honban ~]$ systemctl restart chronyd

時刻同期のステータスを確認

[root@honban ~]$ chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ ntp-b2.nict.go.jp             1   6    17    13  -1904us[+1946us] +/-   20ms
^? ntp-a3.nict.go.jp             0   6     0     -     +0ns[   +0ns] +/-    0ns
^+ ntp-a2.nict.go.jp             1   6    17    13  +7816us[  +12ms] +/- 9318us
^* ntp-k1.nict.jp                1   6    17    13  -3680us[ +171us] +/-   26ms
[root@honban ~]$ 

「*」があるので無事に FQDNを名前解決 した上で同期が完了している。