bind 9 quick how to

31
8/8/2019 Bind 9 Quick How To http://slidepdf.com/reader/full/bind-9-quick-how-to 1/31

Upload: cristian-munoz-silva

Post on 10-Apr-2018

226 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 1/31

Page 2: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 2/31

Page 3: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 3/31

Page 4: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 4/31

Page 5: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 5/31

Page 6: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 6/31

Page 7: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 7/31

Page 8: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 8/31

Configuring resolv.conf

You'll have to make your DNS server refer to itself for all DNS queries by configuringthe /etc/resolv.conf file to reference localhost only.

nameserver 127.0.0.1

Creating a named.conf Base Configuration

The /etc/named.conf file contains the main DNS configuration and tells BIND where tofind the configuration, or zone files for each domain you own. This file usually has twozone areas:

y Forward zone file definitions list files to map domains to IP addresses.y Reverse zone file definitions list files to map IP addresses to domains.

Some versions of BIND will come with a /etc/amed.conf file configured to work as acaching nameserver which can be converted to an authoritative nameserver by addingthe correct references to your zone files. Please proceed to the next section if this is thecase with your version of BIND.

In other cases the named.conf configuration file may be hard to find. Some versions of Linux install BIND as a default caching nameserver using a file names/etc/named.caching-nameserver.conf for its configuration. In such cases BIND becomesan authoritative nameserver when a correctly configured /etc/named.conf file is created.

Fortunately BIND comes with samples of all the primary files you need. Table 18.3explains their names and purpose in more detail.

Table 18.3 The Primary BIND Configuration Files

File Description

/etc/named.conf The main configuration file that lists the location of all your domain's zone files

/etc/named.rfc1912.zones Base configuration file for a caching name server.

/var/named/named.ca A list of the 13 root authoritative DNS servers.

The first task is to make sure your DNS server will listening of requests on all therequired network interfaces. The options section of named.conf may be configured tolisten exclusively on its internal hidden localhost interface with an IP address of 127.0.0.1 as we see in this example.

# File : /etc/named.conf

options {listen-on port 53 { 127.0.0.1; };

};

Page 9: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 9/31

If other devices are going to rely on your server for queries, then you¶ll need to either change this or add a selected number of IP addresses on your server. In this example, weallow queries on any interface.

listen-on port 53 { any; };

In this example, we allow queries on localhost and address 192.168.1.100.listen-on port 53 { 127.0.0.1; 192.168.1.100; };

Note: Always make sure localhost, 127.0.0.1 is included.

Though it is not required, it is a good practice to configure your DNS server'snamed.conf file to support BIND views. This will be discussed next.

Configuring BIND Views in named.conf

Our sample scenario assumes that DNS queries will be coming from the Internet andthat the zone files will return information related to the external 97.158.253.26 addressof the Web server. What do the PCs on your home network need to see? They need tosee DNS references to the real IP address of the Web server, 192.168.1.100, because

NAT won¶t work properly if a PC on your home network attempts to connect to theexternal 97.158.253.26 NAT IP address of your Web server. Don¶t worry. BIND figuresthis out using its views feature which allows you to use predefined zone files for queriesfrom certain subnets. This means it¶s possible to use one set of zone files for queriesfrom the Internet and another set for queries from your home network. Here¶s asummary of how it¶s done:

1. If your DNS server is also acting as a caching DNS server, then you'll also need a

view for localhost to use. We'll use a view called localhost_resolver for this.2. Place your zone statements in the /etc/named.conf file in one of two other viewsections. The first section is called internal and lists the zone files to be used by your internal network. The second view called external lists the zone files to be used for Internet users.

For example; you could have a reference to a zone file called my-site.zone for lookupsrelated to the 97.158.253.X network which Internet users would see. This/etc/named.conf entry would be inserted in the external section. You could also have afile called my-site-home.zone for lookups by home users on the 192.168.1.0 network.This entry would be inserted in the internal section. Creating the my-site-home.zone file

is fairly easy: Copy it from the my-site.zone file and replace all references to97.158.253.X with references to 192.168.1.X.

3. You must also tell the DNS server which addresses you feel are internal and external.To do this, you must first define the internal and external networks with access controllists (ACLs) and then refer to these lists within their respective view section with thematch-clients statement. Some built-in ACLs can save you time:

Page 10: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 10/31

y localhost : Refers to the DNS server itself y localnets : Refers to all the networks to which the DNS server is directly

connectedy any : which is self explanatory.

Let's examine BIND views more carefully using a number of sample configuration

snippets from the /etc/named.conf file I use for my home network. All the statements below were inserted after the options and controls sections in the file. I have selectedgeneric names internal, for views given to trusted hosts (home, non-internet or corporateusers), and external for the views given to Internet clients, but they can be namedwhatever you wish.

First let's talk about how we should refer to the zone files in each view.

Forward Zone File References in named.conf

Let¶s describe how we point to forward zone files in a typical named.conf file.

In this example the zone file is named my-site.zone, and, although not explicitly stated,the file my-site.zone should be located in the default directory of /var/named/chroot/var/named in a chroot configuration or in /var/named in a regular one. With Debian / Ubuntu, references to the full file path will have to be used. Use thecode:

z one ³my-web-site.org´ {

type master;notify no;allow-query { any; };file ³my-site. z one´;

};

In addition, you can insert more entries in the named.conf file to reference other Webdomains you host. Here is an example for another-site.com using a zone file namedanother-site.zone.

z one ³another-site.com´ {

type master;notify no;allow-query { any; };file ³another-site. z one´;

};

Note: The allow-query directive defines the networks that are allowed to query your DNS server for information on any zone. For example, to limit queries to only your 192.168.1.0 network, you could modify the directive to:

allow-query { 192.168.1.0/24; };

Page 11: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 11/31

Reverse Zone File References in named.conf

Here¶s how to format entries that refer to zone files used for reverse lookups for your IPaddresses.

In most cases, your ISP handles the reverse zone entries for your public IP addresses, but you will have to create reverse zone entries for your SOHO/home environmentusing the 192.168.1.0/24 address space. This isn¶t important for the Windows clients onyour network, but some Linux applications require valid forward and reverse entries tooperate correctly.

The forward domain lookup process for mysite.com scans the FQDN from right to leftto get to get increasingly more specific information about the authoritative servers touse. Reverse lookups operate similarly by scanning an IP address from left to right toget increasingly specific information about an address.

The similarity in both methods is that increasingly specific information is sought, butthe noticeable difference is that for forward lookups the scan is from right to left, andfor reverse lookups the scan is from left to right. This difference can be seen in theformatting of the zone statement for a reverse zone in /etc/named.conf file where themain in-addr.arpa domain, to which all IP addresses belong, is followed by the first 3octets of the IP address in reverse order. This order is important to remember or else theconfiguration will fail. This reverse zone definition for named.conf uses a reverse zonefile named 192-168-1.zone for the 192.168.1.0/24 network.

z one ³1.168.192.in -addr.arpa´ {type master;notify no;allow-query { any; };file ³192-168-1. z one´;

};

Your patience will soon be rewarded. It's time to talk about the views! Let's go!

Page 12: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 12/31

The Caching Nameserver localhost_resolver View

The localhost_resolver view is used for your caching DNS server configuration andshould look like this:

view "localhost_resolver"

{/* This view sets up named to be a localhost resolver* ( caching only nameserver ). If all you want is a* caching-only nameserver, then yo u need only define this view : */

match-clients { localhost; };match-destinations { localhost; };

// As your caching name server clients will be using thisserver

// for DNS lookups to get to sites all over the Web you¶llneed to

// turn on recursionrecursion yes;

// All views used by caching nameserver clients must// contain the root hints z one. Recursive lookups to DNS

domains// you don¶t own (non -authoritative) starts here.z one "." IN {

type hint;file "named.ca";

};

/* these are z ones that contain definitions for all thelocalhost

* names and addresses, as r ecommended in RF C1912 - thesenames should

* ONLY be served to localhost clients : */

include "/etc/named.rfc1912. z ones";

/** Include z onefiles for internal z ones*/

include "/var/named/ z ones/i nternal/internal_ z ones.conf";};

There are some quick facts you should be aware of with your caching name server configuration:

1. If you want your server to be only a caching DNS server, then delete all other viewsin named.conf and restart the named daemon.

[root@bigboy tmp]# /etc/init.d/named restart

2. Make all the other machines on your network point to the caching DNS server astheir primary DNS server.

Page 13: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 13/31

3. Remember that all DNS queries done on your DNS server appear to come fromlocalhost. If your server is also an authoritative server for your domain, you will have toinclude a reference to your domain's zone files in this section for the server's own DNSlookups to work. If not, queries from clients defined by the internal and external ACLswill work correctly, but queries for the domain from the server itself will fail. In thisexample we have included a reference to the internal_zones.conf zone file which we'll

visit again soon. This line can be deleted if your server isn't an authoritative server for your domain.

Note: If you have a localhost only view like this, make sure you don't referencelocalhost in any of your other views as one view will take precedence over the other for queries from your server. This could lead to unpredictable results.

The Internal View

In this example I included an ACL for network 192.168.17.0 /24 called safe-subnet tohelp clarify the use of ACLs in more complex environments. Once the ACL wasdefined, I then inserted a reference to the safe-subnet in the match-clients statement inthe internal view. Therefore the local network (192.168.1.0 /24), the other trustednetwork (192.168.17.0), and localhost get DNS data from the zone files in the internalview.

// A CL statement

acl ³safe-subnet´ { 192.168.17.0/24; };

view ³internal´ { // What the home network will see

match-clients { localnets; localhost; safe -subnet; };match-destinations { localnets; localhost; safe -subnet; };

// As your caching name server clients will be using this server// for DNS lookups to get to sites all over the Web you¶ll need to// turn on recursionrecursion yes;

// All views used by caching nameserver clients must// contain the root hints z one. Recursive lookups to DNS domains// you don¶t own (non -authoritative) starts here.z one "." IN {

type hint;file "named.ca";

};

// These are your "authoritative" internal z ones, and wouldprobably

// also be included in the "localhost_resolver" view above :

/** Include z onefiles for internal z ones*/include "/var/named/ z ones/internal/internal_ z ones.conf";

};

Page 14: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 14/31

The question you may have on your mind is, "Where are the zone file definitions?".Don't worry, there is an include statement that refers to a file named internal_zones.conf that contains them all as we see here:

// File internal_ z ones.conf

z one "1.168.192.in -addr.arpa" IN {type master;file "/var/named/ z ones/internal/192.168.1. z one";allow-update { none; };

};

z one "my-web-site.org" IN {type master;file "/var/named/ z ones/internal/my -web-site.org. z one";allow-update { none; };

};

I'll discuss how to handle queries from clients outside your trusted networks in the next

section where an external view can be used.

The External View

You can also setup an external view that will be used for DNS queries from clientsoutside your network, such as the Internet. In this case external queries get results fromzone files in the /var/named/zones/external directory.

view ³external´ { // What the Internet will see

/* This view will contain z ones you want to serve only to"external"

* clients that have addresses that are not on your directlyattached

* LAN interface subnets : */

match-clients { any; };match-destinations { any; };

// you'd probably want to deny recursion to external clients, soyou don't

// end up providing free DNS service to all takersrecursion no;

// These are your "authoritative" external z ones, and wouldprobably

// contain entries for just your web and mail servers :

z one "253.158.97.in -addr.arpa" IN {type master;file "/var/named/ z ones/external/97.158.253. z one";allow-update { none; };

};

z one "my-web-site.org" IN {type master;file "/var/named/ z ones/external/my -web-site.org. z one";

Page 15: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 15/31

allow-update { none; };};

};

Notice that the reverse zone file gives results for public internet addresses, and of course, the forward zone file should only provide responses with Internet accessibleaddresses.

Note: In the external view, you may be tempted to use an exclamation mark (!) toeliminate networks used in the internal view like this. Be careful, it is best to use "any;"for your external view as the exclamation mark (!) is not honored with some versions of BIND in views named "external".

; !!! CAUTION !!!

match-clients { !localnets; !localhost; !safe-subnet; };match-destinations { !localnets; !localhost; !safe-subnet; };

The views listed here are purely to illustrate their use. The sample home network wehave been using doesn¶t need to have the ACL statement at all as the built in ACLslocalnets and localhost are sufficient. The sample network won¶t need the safe-subnetsection in the match-clients line either as there is only one subnet in the configuration.

Views are also not just for NAT. If you run an Internet data center, you can set up your DNS server to act as a caching server to servers on all the Internet networks you ownand no one else, and then provide authoritative responses to your customers' domains toeveryone. Views can be very useful.

Configuring The Zone Files

You need to keep a number of things in mind when configuring DNS zone files:

y In all zone files, you can place a comment at the end of any line by inserting asemi-colon character then typing in the text of your comment.

y By default, your zone files are located in the /var/named or /var/named/chroot/var/named or /etc/bind directories depending on your Linux distribution.

y Each zone file contains a variety of records (SOA, NS, MX, A, and CNAME)that govern different areas of BIND.

Take a closer look at these entries in the zone file.

Time to Live Value

The very first entry in the zone file is usually the zone's time to live (TTL) value.Caching DNS servers cache the responses to their queries from authoritative DNSservers. The authoritative servers not only provide the DNS answer but also provide theinformation's time to live, which is the period for which it's valid.

Page 16: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 16/31

The purpose of a TTL is to reduce the number of DNS queries the authoritative DNSserver has to answer. If the TTL is set to three days, then caching servers use theoriginal stored response for three days before making the query again.

$ TTL 3D

BIND recognizes several suffixes for time-related values. A D signifies days, a Wsignifies weeks, and an H signifies hours. In the absence of a suffix, BIND assumes thevalue is in seconds.

DNS Resource Records

The rest of the records in a zone file are usually BIND resource records. They define thenature of the DNS information in your zone files that's presented to querying DNSclients. They all have the general format:

Name C lass Type Data

There are different types of records for mail (MX), forward lookups (A), reverselookups (PTR), aliases (CNAME) and overall zone definitions, Start of Authority(SOA). The data portion is formatted according to the record type and may consist of several values separated by spaces. Similarly, the name is also subject to interpretation

based on this factor.

The SOA Record

The first resource record is the Start of Authority (SOA) record, which contains generaladministrative and control information about the domain. It has the format:

Name C lass Type Name -Server Email -Address Serial -No Refresh RetryExpiry Minimum-TTL

The record can be long, and will sometimes wrap around on your screen. For the sake of formatting, you can insert new line characters between the fields as long as you insert

parenthesis at the beginning and end of the insertion to alert BIND that part of therecord will straddle multiple lines. You can also add comments to the end of each newline separated by a semicolon when you do this. Here is an example:

@ IN SOA ns1.my -site.com. hostmaster.my -site.com. (2004100801 ; serial #4H ; refresh1H ; retry1W ; expiry1D ) ; minimum

Table 18.4 explains what each field in the record means.

Page 17: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 17/31

Table 18.4 The SOA Record Format

Field Description

Name The root name of the zone. The ³@´ sign is a shorthand reference to thecurrent origin (zone) in the /etc/named.conf file for that particular database file.

Class There are a number of different DNS classes. Home/SOHO will be limitedto the IN or Internet class used when defining IP address mappinginformation for BIND. Other classes exist for non Internet protocols andfunctions but are very rarely used.

Type The type of DNS resource record. In the example, this is an SOA resourcerecord. Other types of records exist, which I¶ll cover later.

Name-server

Fully qualified name of your primary name server. Must be followed by a period.

Email-address

The e-mail address of the name server administrator. The regular @ in thee-mail address must be replaced with a period instead. The e-mail addressmust also be followed by a period.

Serial-no A serial number for the current configuration. You can use the date formatYYYYMMDD with an incremented single digit number tagged to the end.This will allow you to do multiple edits each day with a serial number that

both increments and reflects the date on which the change was made.

Refresh Tells the slave DNS server how often it should check the master DNSserver. Slaves aren¶t usually used in home / SOHO environments.

Retry The slave¶s retry interval to connect the master in the event of aconnection failure. Slaves aren¶t usually used in home / SOHOenvironments.

Expiry Total amount of time a slave should retry to contact the master beforeexpiring the data it contains. Future references will be directed towards theroot servers. Slaves aren¶t usually used in home/SOHO environments.

Minimum-TTL

There are times when remote clients will make queries for subdomainsthat don¶t exist. Your DNS server will respond with a no domain or

NXDOMAIN response that the remote client caches. This value definesthe caching duration your DNS includes in this response.

So in the example, the primary name server is defined as ns1.my-site.com with a contacte-mail address of [email protected]. The serial number is 2004100801 withrefresh, retry, expiry, and minimum values of 4 hours, 1 hour, 1 week, and 1 day,respectively.

NS, MX, A And CNAME Records

Like the SOA record, the NS, MX, A, PTR and CNAME records each occupy a singleline with a very similar general format. Table 18.5 outlines the way they are laid out.

Page 18: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 18/31

Table 18.5 NS, MX, A, PTR and CNAME Record Formats

RecordType Name Field

ClassField 2

TypeField Data Field

NS Usually blank 1 IN NS IP address or CNAME of thename server

MX Domain to be used for mail.Usually the same as the domainof the zone file itself.

IN MX Mail server DNSname

A Name of a server in the domain IN A IP address of server

CNAME Server name alias IN CNAME "A" record namefor the server

PTR Last octet of server¶s IP address IN PTR Fully qualified

server name

1. If the search key to a DNS resource record is blank it reuses the searchkey from the previous record which in this case of is the SOA @ sign.

2. For most home / SOHO scenarios, the Class field will always be IN or Internet. You should also be aware that IN is the default Class, andBIND will assume a record is of this type unless otherwise stated.

If you don't put a period at the end of a host name in a SOA, NS, A, or CNAME record,BIND will automatically tack on the zone file's domain name to the name of the host.So, BIND assumes an A record with www refers to www.my-site.com. This may be

acceptable in most cases, but if you forget to put the period after the domain in the MXrecord for my-site.com, BIND attaches the my-site.com at the end, and you will findyour mail server accepting mail only for the domain my-site.com.mysite.com.

TXT Records

There is also a less frequently used DNS TXT record that can be configured to containadditional generic information. The data section of the record typically has the format"name=value", where "name" is the name to be given to the type of data, and "value" isthe value assigned to the name as seen in this example.

my-web-site.org. TXT "v=spf1 -all"

TXT records are increasingly being used to help fight SPAM using the Sender PolicyFramework (SPF) method. SPF TXT records are used by systems receiving mail tointerrogate the DNS of the domain which appears in the email (the sender) anddetermine if the originating IP address of the mail (the source) is authorized to sendmail for the sender's domain.

Further description of the use of TXT records is beyond the scope of this book, but youshould at least be aware that they can be up to 255 characters in length and that this

Page 19: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 19/31

feature is often exploited in distributed denial of service (DDoS) attacks. The section on"Simple DNS Security" explains how to configure your DNS server to not participate insuch an event.

Sample Forward Zone File

Now that you know the key elements of a zone file, it's time to examine a workingexample for the domain my-site.com.

;; Zone file for my -site.com;; The full z one file;$ TTL 3D@ IN SOA ns1.my -site.com. hostmaster.my -site.com. (

200211152 ; serial#3600 ; refresh, seconds3600 ; retry, seconds

3600 ; expire, seconds3600 ) ; minimum, seconds

NS www ; Inet Address of nameservermy-site.com. MX 10 mail ; Primary Mail Exchanger

localhost A 127.0.0.1bigboy A 97.158.253.26mail A 97.158.253.27ns1 CNAME bigboywww CNAME bigboy

Notice that in this example:

y Server ns1.my-site.com is the name server for my-site.com. In corporateenvironments there may be a separate name server for this purpose. Primaryname servers are more commonly called ns1 and secondary name servers ns2.

y The minimum TTL value ($TTL) is three days, therefore remote DNS cachingservers will store learned DNS information from your zone for three days beforeflushing it out of their caches.

y The MX record for my-site.com points to the server named mail.my-site.comand this server has the IP address 97.158.253.27.

y ns1 is actually a CNAME or alias for the Web server www. So here you have anexample of the name server, and Web server being the same machine. If theywere all different machines, then you'd have an A record entry for each.

www A 97.158.253.26ns A 97.158.253.125

It is a required practice to increment your serial number whenever you edit your zonefile. When DNS is setup in a redundant configuration, the slave DNS servers

Page 20: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 20/31

periodically poll the master server for updated zone file information, and use the serialnumber to determine whether the data on the master has been updated. Failing toincrement the serial number, even though the contents of the zone file have beenmodified, could cause your slaves to have outdated information.

Note: The DNS specification ( RFC 2181 ) does not allow for an MX record to be a

CNAME. It may work in most cases, but some mail servers may refuse to send to you because of this.

Sample Reverse Zone File

Now you need to make sure that you can do a host query on all your home network'sPCs and get their correct IP addresses. This is very important if you are running a mailserver on your network, because sendmail typically relays mail only from hosts whoseIP addresses resolve correctly in DNS. NFS, which is used in network-based file access,also requires valid reverse lookup capabilities.

This is an example of a zone file for the 192.168.1.x network. All the entries in the firstcolumn refer to the last octet of the IP address for the network, so the IP address192.168.1.100 points to the name bigboy.my-site.com.

Notice how the main difference between forward and reverse zone files is that thereverse zone file only has PTR and NS records. Also the PTR records cannot haveCNAME aliases.

;; Filename : 192-168-1. z one;; Zone file for 192.168.1.x;$ TTL 3D@ IN SOA www.my -site.com. hostmaster.my -site.com.(

200303301 ; serial number8H ; refresh, seconds2H ; retry, seconds4W ; expire, seconds1D ) ; minimum, sec onds

NS www ; Nameserver Address

100 PTR bigboy.my -site.com.103 PTR smallfry.my -site.com.102 PTR ochorios.my -site.com.

105 PTR reggae.my-site.com.32 PTR dhcp -192-168-1-32.my-site.com.33 PTR dhcp -192-168-1-33.my-site.com.34 PTR dhcp -192-168-1-34.my-site.com.35 PTR dhcp -192-168-1-35.my-site.com.36 PTR dhcp -192-168-1-36.my-site.com.

Page 21: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 21/31

I included entries for addresses 192.168.1.32 to 192.168.1.36, which are the addressesthe DHCP server issues. SMTP mail relay wouldn't work for PCs that get their IPaddresses via DHCP if these lines weren't included.

You may also want to create a reverse zone file for the public NAT IP addresses for your home network. Unfortunately, ISPs won't usually delegate this ability for anyone

with less than a Class C block of 256 IP addresses. Most home DSL sites wouldn'tqualify.

Loading Your New Configuration Files

Make sure your configuration files are in the correct locations and the serial numbers of the zone files you may have modified have been updated. If all seems correct, restartBIND named daemon for the configuration to become active.

[root@bigboy tmp]# /e tc/init.d/named restart

Take a look at the end of your /var/log/messages file to make sure there are no errors.

Make Sure Your /etc/hosts File Is Correctly Updated

Chapter 3, " Linux Networking ", explains how to correctly configure your /etc/hosts file.Some programs, such as sendmail, require a correctly configured /etc/hosts file eventhough DNS is correctly configured.

Configure Your Firewall

The sample network assumes that the BIND name server and Apache Web server

software run on the same machine protected by a router/firewall. The actual IP addressof the server is 192.168.1.100, which is a private IP address. You'll have to use NAT for Internet users to be able to gain access to the server via the chosen public IP address,namely 97.158.253.26. If your firewall is a Linux box, you may want to consider takinga look at Chapter 14, " Linux Firewalls Using iptables ", describes how to do the network address translation and allow DNS traffic through to your name server.

Fix Your Domain Registration

Remember to edit your domain registration for my-site.com, or whatever it is, so that atleast one of the name servers is your new name server (97.158.253.26 in this case).

Domain registrars, such as VeriSign and RegisterFree, usually provide a Web interfaceto help you manage your domain.

Once you've logged in with the registrar's username and password, you'll have take twosteps:

1) Create a new name server record entry for the IP address 97.158.253.26 tomap to ns.my-site.com or www.my-site.com or whatever your name server iscalled. (This screen prompts you for both the server's IP address and name.)

Page 22: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 22/31

2) Assign ns.my-site.com to handle your domain. This screen will prompt youfor the server name only.Sometimes, the registrar requires at least two registered name servers per domain. If you only have one, then you could either create a second name server record entry with the same IP address, but different name, or you could giveyour Web server a second IP address using an IP alias, create a second NAT

entry on your firewall and then create the second name server record entry withthe new IP address, and different name.

It normally takes about three to four days for your updated DNS information to be propagated to all 13 of the world's root name servers. You'll therefore have to waitabout this amount of time before starting to notice people hitting your new Web site.

You can use the chapter's troubleshooting section to test specific DNS servers for theinformation they have on your site. You'll most likely want to test your new DNSserver, which should be up to date, plus a few well known ones, which should havedelayed values.

Troubleshooting BINDBIND troubleshooting is usually easy to do. The named daemon updates the/var/log/messages file with detailed status messages that are frequently easy to interpretwhen you suspect a configuration error. The usual troubleshooting steps for network

problems are also applicable. Both methodologies will be covered next.

Configuration Troubleshooting Steps

Always check your /var/logs/messages file and console output file for errors. Here are a

couple examples you may come across:

y The named daemon is started with an unedited version of the sample named.conf file which causes unusual errors on the screen. References to the nonexistentsample zone files create errors. References to both the named.rfc1912.zones andnamed.root files in the localhost_resolver section cause errors related toduplicate definitions.

[root@bigboy tmp]# service named restartStarting named : Error in named configuration : /etc/named.rfc1912. z ones : 10 : z one '.' : already exists previousdefinition : /etc/named.root.hints : 12z one localdomain/IN : loaded serial 42z one localhost/IN : loaded serial 42z one 0.0.127.in -addr.arpa/IN : loaded serial 1997022700z one0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN : loaded serial 19970227 00z one 255.in -addr.arpa/IN : loaded serial 42z one 0.in-addr.arpa/IN : loaded serial 42z one my.internal. z one/IN : loading master file my.internal. z one.db : file not found

Page 23: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 23/31

internal/my.internal. z one/IN : file not foundz one my.ddns.internal. z one/IN : loading mas ter fileslaves/my.ddns.internal. z one.db : file not foundinternal/my.ddns.internal. z one/IN : file not foundz one my.external. z one/IN : loading master file my.external. z one.db : file not foundexternal/my.external. z one/IN : file not found[FAILED][root@bigboy tmp]#

y The named.conf file refers to an undefined secret key in the ddns_key of named.conf. Use the dns-keygen or dnskeygen commands to create a correctentry.

Feb 25 20 : 38 : 49 bigboy named[4593] : /etc/named.conf : 99 : configuringkey 'ddns_key' : bad base64 encodingFeb 25 20 : 38 : 49 bigboy named[4593] : loading configuration : bad base64encoding

y The named.root.hints file referred to in named.conf isn't present in the /etc or thechroot /etc directory.

[root@bigboy tmp]# service named startStarting named : Error in named configuration : /etc/named.conf : 58 : open : /etc/named.root.hints : file not found[FAILED][root@bigboy tmp]#

y The named.root file referred to in the named.root.hints file isn't present.

Feb 25 21 : 33 : 41 bigboy named[5007] : could not configure root hintsfrom 'named.root' : file not foundFeb 25 21 : 33 : 41 bigboy named[5007] : loading configuration : file notfoundFeb 25 21 : 33 : 41 bigboy named[5007] : exiting (due to fatal error)

y You are using a chroot version of BIND with a sample rndc.key file located inthe /etc directory instead of the /var/named/chroot/etc/ directory. Copy the file tothe correct location and restart named to fix the problem.

[root@bigboy tmp]# service named restartStopping named : rndc : connect failed : connection refu sed

[ OK ]Starting named : [ OK ][root@bigboy tmp]#

y In your named.conf file you refer to a zone file that doesn't exist. This exampleincludes both errors to the console screen and errors in the /var/log/messagesfile.

Page 24: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 24/31

[root@bigboy tmp]# service named startStarting named : Error in named configuration : z one localdomain/IN : loaded serial 42z one localhost/IN : loaded serial 42z one 0.0.127.in -addr.arpa/IN : loaded serial 1997022700z one0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. ip6.arpa/IN : loaded serial 1997022700z one 255.in -addr.arpa/IN : loaded serial 42z one 0.in-addr.arpa/IN : loaded serial 42z one 2.168.192.in -addr.arpa/IN : loaded serial 2006052301z one my-web-site.org/IN : loaded serial 2006052302z one my-web-site.com/IN : loading master file/var/named/ z ones/internal/my -web-site.com. z one : file not foundinternal/my-web-site.com/IN : file not foundz one 1.168.192.in -addr.arpa/IN : loaded serial 2006052301z one my-web-site.org/IN : loaded serial 2006052302[FAILED][root@bigboy tmp]#

Feb 26 01 : 47 : 10 smallfry named : z one my -web-site.com/IN : loadingmaster file /var/named/ z ones/internal/my -web-site.com. z one : file notfoundFeb 26 01 : 47 : 10 smallfry named : internal/my -web-site.com/IN : file notfound

y This is a tricky one that would occur in some early versions of Fedora. BINDwould appear to start correctly, but none of the zone files would be loaded. Inthis scenario could be using a chroot version of BIND with a sample named.conf file located in the /etc directory instead of the /var/named/chroot/etc/ directory.Copy the file to the correct location and restart named to fix the problem. Deletethe /etc and create a symbolic link to /var/named/chroot/etc/named.conf from/etc to ensure you always edit the correct file.

Nov 9 17 : 35 : 41 bigboy named[1157] : starting BIND 9.2.3 -u named -t/var/named/chrootNov 9 17 : 35 : 41 bigboy named[1157] : using 1 CPUNov 9 17 : 35 : 41 bigboy named[1157] : loading configuration fromµ/etc/named.conf¶Nov 9 17 : 35 : 41 bigboy named[1157] : listening on IPv4 interface lo,127.0.0.1#53Nov 9 17 : 35 : 41 bigboy named[1157] : listening on IPv4 interface eth0,10.41.32.71#53Nov 9 17 : 35 : 41 bigboy named[1157] : command channel listening on127.0.0.1#953Nov 9 17 : 35 : 41 bigboy named[1157] : command channel listeningon :: 1#953Nov 9 17 : 35 : 41 bigboy named[1157] : running

y If there are no named errors to the screen or /var/log/messages, and your domaindoesn't resolve correctly when queried using the host command when you arelogged into your new nameserver, then the problem could be due to youforgetting to add a zone file entry for the domain in named.conf; there could be atypographical error in your zone file; or you could have forgotten to update your zone file serial numbers.

Page 25: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 25/31

This isn't a comprehensive configuration error list, but it covers some common mistakeswith a new configuration.

Network Troubleshooting Steps

Once configuration troubleshooting this is completed, you can continue with thefollowing troubleshooting steps:

1) Determine whether your DNS server is accessible on DNS UDP/TCP port 53. Lack of connectivity could be caused by a firewall with incorrect, permit, NAT, or portforwarding rules to your DNS server. Failure could also be caused by the named process

being stopped. It is best to test this from both inside your network and from the Internet.

Troubleshooting with TELNET is covered in Chapter 4, " Simple Network Troubleshooting ".

2) Linux status messages are logged to the file /var/log/messages. Use it to make sure

all your zone files are loaded when you start BIND/named. Check your /etc/named.conf file if they fail to do so. (Linux logging is covered in Chapter 5, " Troubleshooting Linuxwith syslog ".

Feb 21 09 : 13 : 13 bigboy named : named startup succeededFeb 21 09 : 13 : 13 bigboy named[12026] : loading confi guration from'/etc/named.conf'Feb 21 09 : 13 : 13 bigboy named[12026] : no IPv6 interfaces foundFeb 21 09 : 13 : 13 bigboy named[12026] : listening on IPv4 interface lo,127.0.0.1#53Feb 21 09 : 13 : 13 bigboy named[12026] : listening on IPv4 interfacewlan0, 192.168. 1.100#53Feb 21 09 : 13 : 13 bigboy named[12026] : listening on IPv4 interface eth0,172.16.1.100#53Feb 21 09 : 13 : 14 bigboy named[12026] : command channel listening on127.0.0.1#953Feb 21 09 : 13 : 14 bigboy named[12026] : z one 0.0.127.in -addr.arpa/IN : loaded serial 1997022700Feb 21 09 : 13 : 14 bigboy named[12026] : z one 1.16.172.in -addr.arpa/IN : loaded serial 51Feb 21 09 : 13 : 14 bigboy named[12026] : z one 1.168.192.in -addr.arpa/IN : loaded serial 51Feb 21 09 : 13 : 14 bigboy named[12026] : z one simiya.com/IN : loaded serial2004021401Feb 21 09 : 13 : 14 bigboy named[12026] : z one localhost/IN : loaded serial42Feb 21 09 : 13 : 14 bigboy named[12026] : z one simiya.com/IN : loaded serial200301114

Feb 21 09 : 13 : 14 bigboy named[12026] : running

3) Use the host (nslookup in Windows) command for both forward and reverse lookupsto make sure the zone files were configured correctly.

If this fails, try:

y Double check for your updated serial numbers in the modified files and alsoinspect the individual records within the files for mistakes.

Page 26: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 26/31

y Ensure there isn't a firewall that could be blocking DNS traffic on TCP and/or UDP port 53 between your server and the DNS server.

y Use the dig command to determine whether the name server for your domain isconfigured correctly.

Here is an example of querying DNS server ns1.my-site.com for the IP address of

www.linuxhomenetworking.com. (You can also replace the name server's name with itsIP address.)

[root@bigboy tmp]# host www.linuxhomenetworking.com ns1.my -site.comUsing domain server : Name : ns1.my-site.comAddress : 192.168.1.100#53Aliases :

www.linuxhomenetworking.com has address 65.115.71.34

[root@bigboy tmp]#

Here is an example of querying your default DNS server for the IP address of www.linuxhomenetworking.com. As you can see, the name of the specific DNS server to query has been left off the end. Failure in this case could be due not only to an error on your BIND configuration or domain registration but also to an error in your DNSclient's DNS server entry in your Linux /etc/resolv.conf file or the Windows TCP/IP

properties for your NIC.

[root@bigboy tmp]# host www.linuxhomenetworking.comwww.linuxhomenetworking.com has address 65.115.71.34[root@bigboy tmp]#

4) You can also use the dig command to determine whether known DNS servers on theInternet have received a valid update for your zone. (Remember if you decide to changethe DNS servers for your domain that it could take up to four days for it to propagateacross the Internet.)

The format for the command is:

dig <domain -name > <name-server > soa

The name server is optional. If you specify a name server, then dig queries that nameserver instead of the Linux server's default name server. It is sometimes good to query

both your name server, as well as a well known name server such as ns1.yahoo.com tomake sure your DNS records have propagated properly. The dig command only workswith fully qualified domain names only, because it doesn't refer to the /etc/resolv.conf file.

This command uses the local DNS server for the query. It returns the SOA recordinformation and the addresses of the domain's DNS servers in the authority section.

Page 27: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 27/31

[root@bigboy tmp]# dig linuxhomenetworking.com SOA......;; AUTHORITY SE CTION : linuxhomenetworking.com. 3600 IN NS ns1.myisp.net.linuxhomenetworking.com. 3600 IN NS ns2.myisp.net.

;; ADDITIONAL SE CTION : ns1.myisp.net. 3600 IN A 65.115.70.68ns2.myisp.net. 3600 IN A 65.115.70.69......[root@bigboy tmp]#

Here is a successful dig using DNS server ns1.yahoo.com for the query. As before, itreturns the SOA record for the zone.

[root@bigboy tmp]# dig ns1.yahoo.com linuxhomenetworking.com SOA......;; AUTHORITY SE CTION : linuxhomenetworking.com. 3600 IN NS ns2.myisp.net.linuxhomenetworking.com. 3600 IN NS ns1.myisp.net.

;; ADDITIONAL SE CTION : ns1.myisp.net. 3600 IN A 65.115.70.68ns2.myisp.net. 3600 IN A 65.115.70.69......[root@bigboy tmp]#

Sometimes your SOA dig will fail. This command uses the DNS server ns1.yahoo.comfor the query. In this case the authority section doesn't know of the domain and points tothe name server for the entire .com domain at VeriSign.

[root@bigboy tmp]# dig ns1.yahoo.com linuxhomeqnetworking.com SOA......;; QUESTION SE CTION : ;linuxhomeqnetworking.com. IN SOA;; AUTHORITY SE CTION : com. 0 IN SOA a.gtld -servers.net.nstld.verisign-grs.com. 1077341254 1800 900 604800 900......[root@bigboy tmp]#

Possible causes of failure include:

y Typographical errors. In this case the misspelling "linuxhomeqnetworking.com"was entered on the command line.

y Incorrect domain registration.y Correct domain registration, but there is a lag in the propagation of the domain

information across the Internet. Delays of up to four days are not uncommon.y A firewall could be blocking DNS traffic on TCP and/or UDP port 53 between

your server and the DNS server.

Page 28: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 28/31

Migrating Your W eb Site In-HouseIt is important to have a detailed migration plan if you currently use an externalcompany to host your Web site and wish to move the site to a server at home or in your office. At the very least your plan should include these steps:

1. There is no magic bullet that will allow you to tell all the caching DNS serversin the world to flush their caches of your zone file entries. Your best alternativeis to request your existing service provider to set the TTL on my-site.com in theDNS zone file to a very low value, say one minute. As the TTL is usually set toa number of days, it will take at least three to five days for all remote DNSservers to recognize the change. Once the propagation is complete, it will takeonly one minute to see the results of the final DNS configuration switch to your new server. If anything goes wrong, you can then revert to the old configuration,knowing it will rapidly recover within minutes rather than days.

2. Set up your test server in house. Edit the /etc/hosts file to make www.my-site.com refer to its own IP address, not that of the www.my-site.com site that iscurrently in production. This file is usually given a higher priority than DNS,therefore the test server will begin to think that www.my-site.com is reallyhosted on itself. You may also want to add an entry for mail.my-site.com if thenew Web server is going to also be your new mail server.

3. Test your server based applications from the server itself. This should includemail, Web, and so on.

4. Test the server from a remote client. You can test the server running aswww.my-site.com even though DNS hasn't been updated. Just edit your /etc/hosts file on your Web browsing Linux PC to make www.my-site.com mapto the IP address of the new server. In the case of Windows, the file would beC:\WINDOWS\system32\drivers\etc\hosts. You may also want to add an entryfor mail.my-site.com if the new Web server is going to also be your new mailserver. Your client will usually refer to these files first before checking DNS,hence you can use them to predefine some DNS lookups at the local client levelonly.

5. Once testing is completed, coordinate with your Web hosting provider to updateyour domain registration's DNS records for www.my-site.com to point to your new Web server. As the TTLs were set to one minute previously, you'll be ableto see results of the migration within minutes.

6. Once complete, you can set the TTL back to the original value to help reduce thevolume of DNS query traffic hitting your DNS server.

7. Fix your /etc/hosts files by deleting the test entries you had before.8. You may also want to take over your own DNS. Edit your my-site.com DNS

entries with VeriSign, RegisterFree or whoever you bought your domain from to point to your new DNS servers.

Remember, you don't have to host DNS or mail in-house, this could be left in the handsof your service provider. You can then migrate these services in-house as your confidence in hosting becomes greater.

Finally, if you have concerns that your service provider won't cooperate, then you couldexplain to the provider that you want to test its failover capabilities to a duplicate server

Page 29: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 29/31

that you host in-house. You can then decide whether the change will be permanent onceyou have failed over back and forth a few times.

DHCP Considerations For DNS

If you have a DHCP server on your network, you'll need to make it assign the IPaddress of the Linux box as the DNS server it tells the DHCP clients to use. If your Linux box is the DHCP server, then you may need to refer to Chapter 8, " Configuringthe DHCP Server ".

Simple DNS SecurityDNS can reveal a lot about the nature of your domain. You should take some

precautions to conceal some of the information for the sake of security.

Zone Transfer ProtectionThe host command does one DNS query at a time, but the dig command is much more

powerful. When given the right parameters it can download the entire contents of your domain's zone file.

In this example, the AFXR zone transfer parameter is used to get the contents of themy-site.com zone file.

[root@smallfry tmp]# dig my -site.com AXFR; << >> DiG 9.2.3 << >> my -site.com AXFR;; global options : printcmdmy-site.com. 3600 IN SOA www.my -site.com.hostmaster.my-site.com. 2004110701 3600 3600 3600 3600my-site.com. 3600 IN NS ns1.my -site.com.my-site.com. 3600 IN MX 10 mail.my -site.com.192-168-1-96.my-site.com. 3600 IN A 192.168.1.96192-168-1-97.my-site.com. 3600 IN A 192.168.1.97192-168-1-98.my-site.com. 3600 IN A 192.168.1.98bigboy.my-site.com. 3600 IN A 192.168.1.100gateway.my-site.com. 3600 IN A 192.168.1.1localhost.my-site.com. 3600 IN A 127.0.0.1mail.my-site.com. 3600 IN CNAME www.my -site.com.ns1.my-site.com. 3600 IN CNAME www.my -site.com.ntp.my-site.com. 3600 IN CNAME www.my -site.com.smallfry.my-site.com. 3600 IN A 192.168.1.102www.my-site.com. 3600 IN A 192.168.1.100

my-site.com. 3600 IN SOA www.my -site.com.hostmaster.my-site.com. 2004110701 3600 3600 3600 3600;; Query time : 16 msec;; SERVER : 192.168.1.100#53(192.168.1.100);; WHEN : Sun Nov 14 20 : 21 : 07 2004;; XFR si z e : 16 records[root@smallfry tmp]#

Page 30: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 30/31

This may not seem like an important security threat at first glance, but it is. Anyone canuse this command to determine all your server's IP addresses and from the namesdetermine what type of server it is and then launch an appropriate cyber attack.

In a simple home network, without master and slave servers, zone transfers should bedisabled. You can do this by applying the allow-transfer directive to the global options

section of your named.conf file.

options {allow-transfer {none;};

};

Once applied, your zone transfer test should fail.

[root@smallfry tmp]# dig my -site.com AXFR......

; << >> DiG 9.2.3 << >> my -site.com AXFR;; global options : printcmd

; Transfer failed.[root@smallfry tmp]#

Selectively Disabling Recursion

Your caching DNS server can unknowingly participate in a form of DDoS attack if recursive lookups are globally allowed.

Say for example that for political, religious, competitive or otherwise malicious reasonsyour web site is targeted for an attack. First, a hacker breaks into the authoritative DNSserver for a sub domain, like my-web-site.org, and adds a large TXT record to the subdomain. The hacker then sends thousands of queries to unsecured caching DNS serversrequesting the TXT record, but there is a catch. The queries use a false source IPaddress that corresponds to the IP address of the DNS server for your website. Thequeries are small, but the responses are amplified by the size of the TXT information,and your DNS server quickly becomes overwhelmed by the flurry of replies. WithoutDNS, your web site goes off the air. For the administrator of the caching DNS servers,the additional load of the queries can be unnoticeable, but when multiplied by thousandsof other poorly configured servers, the attack on your site becomes lethal.

The allow-recursion directive placed in the options section of your named.conf file can be used to restrict the networks to which recursive lookups are allowed. In this examplean ACL is also used to limit lookups to localhost and the 192.168.1.0/24 network.

acl "recursive_subnets" {192.168.1.0/24;localhost;

};

options {allow-recursion { "recursive_subnets"; };

};

Page 31: Bind 9 Quick How To

8/8/2019 Bind 9 Quick How To

http://slidepdf.com/reader/full/bind-9-quick-how-to 31/31

Note: This does not restrict forward or reverse lookups defined by the zone files on theserver. The server will answer all queries for my-web-site.org if it owns that domain,

but it won't respond to queries for servers in another domain such as google.com.

Naming Convention Security

Your my-site.com domain will probably have a www and a mail subdomain, and theyshould remain obvious to all. You may want to adjust your DNS views so that toexternal users, your MySQL database server doesn't have the letters "DB" or "SQL" inthe name, or that your firewall doesn't have the letters "FW" in its name either. Thismay good for ease of reference within the company, but to the Internet these names

provide rapid identifiaction of the types of malicious exploits a hacker could use to break in. Web site security refers to anything that helps to guarantee the availability of the site, this is just one of many methods you can use.

ConclusionDNS management is a critical part of the maintenance of any Web site. Fortunately,although it can be a little complicated, DNS modifications are usually infrequent,

because the IP address of a server is normally fixed or static. This is not always thecase. There are situations in which a server's IP address will change unpredictably andfrequently, making DNS management extremely difficult. Dynamic DNS was created asa solution to this and is explained in Chapter 19, " Dynamic DNS ".