BIND Part 1
pschiu
Outline
InstallationBasic Configuration
Installing ISC BIND
Step#pkginstall bind911or# cd /usr/ports/dns/bind911# make install cleanor# yuminstallbind.x86_64#yum installbind-chroot.x86_64or#pacman-Sbindor# tar -xzvfbind-9.11.0-P3.tar.gz ……..
pkginstall on FreeBSD
[root@jalrc.d]#pkginstallbind911Updating FreeBSD repository catalogue...FreeBSD repository is up-to-date.All repositories are up-to-date.Checking integrity... done (0 conflicting)The following 1 package(s) will be affected (of 0 checked):New packages to be INSTALLED:bind911:9.11.0P3Number of packages to be installed: 1The process will require 59MiBmore space.Proceed with this action? [y/N]: y[1/1] Installing bind911-9.11.0P3...[1/1] Extracting bind911-9.11.0P3: 100%Message from bind911-9.11.0P3:*********************************************************************** _ _____ _____ _____ _ _ _____ ___ ___ _ _ ** / \|_ _|_ _| ____| \ | |_ _|_ _/ _ \| \ | | ** / _ \ | | | | | _| | \| | | | | | | | | \| | ** / ___ \| | | | | |___| |\ | | | | | |_| | |\ | ** /_/ \_\_| |_| |_____|_| \_| |_| |___\___/|_| \_| ** ** BIND requires configuration ofrndc, including a "secret" key. ** The easiest, and most secure way to configurerndcis to run ** 'rndc-confgen-a' to generate the properconffile, with a new ** random key, and appropriate file permissions. ** ** The /usr/local/etc/rc.d/named script will do that for you. ** ***********************************************************************
named in FreeBSD
startupEdit /etc/rc.confnamed_enable=“YES”Manual utility command%rndc{stop | reload | flush …}In old version of BIND, usendccommandConfiguration files/usr/local/etc/namedb/named.confmain Configuration file/usr/local/etc/namedb/named.rootDNS root server cache hint fileZone data filesSee your BIND version% dig @140.113.1.1version.bindtxt chaos
version.bind.0 CH TXT "9.8.1-P1"version.bind.0 CH TXT "9.10.4-P2"version.bind.0 CH TXT "There is no version."version.bind.0 CH TXT "JAL-DNS-Ver-1.8"
BIND Configuration–named.conf(1)
/usr/local/etc/namedb/named.confRoles of this name serverMaster, slave, or stubGlobal optionsZone specific optionsnamed.confis composed of following statements:include, options, server, key,acl, zone,view, controls, logging, trusted-keys
BIND Configuration–named.conf(2)
Address Match ListA generalization of an IP address that can include:An IP addressEx. 140.113.17.1An IP network with CIDRnetmaskEx. 140.113/16Ex. 140.113.0.0/16The ! character to do negateThe name of a previously defined ACLA cryptographic authentication keyFirst matchExample:{ !1.2.3.4; 1.2.3/24; };{ 168.95/16; 140.113.209/24; 140.113.235/24; 127.0.0.1; };{ 2001:288:4001::/48; };
BIND Configuration–named.confinclude
The"include"statementUsed to separate large configuration fileAnother usage is used to separate cryptographic keys into a restricted permission fileEx:include "/usr/local/etc/namedb/rndc.key";-rw-r--r-- 1 root wheel 28980 Feb 18 22:40 named.conf-rw-r-----1 rootbind141 Jan 6 2016rndc.keyIfthe path isrelativeRelative to thedirectoryoptionDefault path:/usr/local/etc/namedb/working/Ex:chroot/var/named/
BIND Configuration–named.confacl
The"acl"statementDefine a class of access controlDefine before they are usedSyntaxaclacl_name{address_match_list;};Predefinedaclclassesany,localnets, localhost, noneExampleaclCSnets{140.113.235/24; 140.113.17/24; 140.113.209/24;};aclNCTUnets{140.113/16; 140.126.237/24; 2001:288:4001::/48;};allow-transfer {localhost;CSnets;NCTUnets};
BIND Configuration–named.confkey
The"key"statementDefine a encryption key used for authentication with a particular serverSyntaxkey "key-id" {algorithmstring;secret "string";}Example:key "serv1-serv2" {algorithmhmac-md5;secret "ibkAlUA0XXAXDxWRTGeY+d4CGbOgOIr7n63eizJFHQo=";}This key is used toSign DNS request before sending to targetValidate DNS response after receiving from target
BIND Configuration–named.confoption (1)
The “option” statementSpecify global optionsSome options may be overridden later for specific zone or serverSyntax:options {option;option;}There are about 50 options in BIND9version“There is no version.”;[real versionnum]directory“/etc/namedb/db”;Base directory for relative path and path to put zone data files
version.bind.0 CH TXT "9.8.1-P1"version.bind.0 CH TXT "9.10.4-P2"version.bind.0 CH TXT "There is no version."version.bind.0 CH TXT "JAL-DNS-Ver-1.8"
BIND Configuration–named.confoption (2)
notifyyes | no[yes]Whether notify slave sever when relative zone data is changedalso-notify140.113.235.101;[empty]Also notify this non-NS serverrecursionyes | no[yes]Recursive name serverallow-recursion{address_match_list};[all]Finer granularity recursion settingcheck-names{master|slave|responseaction};check hostname syntax validityLetter, number and dash only64 characters for each component, and 256 totallyAction:ignore: do no checkingwarn: log bad names but continuefail: log bad names and rejectdefault actionmaster failslave warnresponse ignore
BIND Configuration–named.confoption (3)
listen-onportip_portaddress_match_list;[53, all]NIC and ports that named listens for queryEx: listen-on port 5353 { 192.168.1/24; };query-sourceaddressip_addrportip_port;[random]NIC and port to send DNS queryforwarders{in_addr; … };[empty]Often used in cache name serverForward DNS query if there is no answer in cacheforwardonly | first;[first]If forwarder does not response, queries for forward only server will failallow-queryaddress_match_list;[all]Specify who can send DNS query to youallow-transferaddress_match_list;[all]Specify who can request zone transfer to youblackholeaddress_match_list;[empty]Reject queries and would never ask them for answers
BIND Configuration–named.confoption (4)
transfer-formatone-answer | many-answers;[many-answers]Ways to transfer data records from master to slaveHow many data records in single packettransfers-innum;[10]transfers-outnum;[10]Limit of the number of inbound and outbound zone transfers concurrentlytransfers-per-nsnum;[2]Limit of the inbound zone transfers concurrently from the same remote servertransfer-sourceIP-address;IP of NIC used for inbound transfers
BIND Configuration–named.confserver
The"server"statementTell named about the characteristics of its remote peersSyntaxserverip_addr{bogusno | yes;provide-ixfryes | no; (for master)request-ixfryes | no; (for slave)transfersnum;transfer-formatmany-answers | one-answer;keys {key-id;key-id};};ixfrIncremental zone transfertransfersLimit of number of concurrent inbound zone transfers from that serverServer-specific transfers-inkeysAny request sent to the remote server is signed with this key
BIND Configuration–named.confzone (1)
The"zone"statementHeart of thenamed.confthat tells named about the zones that it is authoritativezone statement format varies depending on roles of namedMaster or slaveBasically
Syntax:zone "domain_name" {typemaster |slave |stub;file "path";masters{ip_addr;ip_addr; };allow-query{address_match_list; };[all]allow-transfer {address_match_list; };[all]allow-update{address_match_list; };[empty]};
BIND Configuration–named.confzone (2)
Master server zone configurationSlave server zone configuration
zone "cs.nctu.edu.tw" IN {type master;file "named.hosts";allow-query { any; };allow-transfer { localhost; CS-DNS-Servers; };allow-update { none; };};
zone "cs.nctu.edu.tw" IN {type slave;file "cs.hosts";masters { 140.113.235.107; };allow-query { any; };allow-transfer { localhost; CS-DNS-Servers; };};
BIND Configuration–named.confzone (3)
Forward zone and reverse zone
zone "cs.nctu.edu.tw" IN {type master;file "named.hosts";allow-query { any; };allow-transfer { localhost; CS-DNS-Servers; };allow-update { none; };};
zone "235.113.140.in-addr.arpa" IN {type master;file "named.235.rev";allow-query { any; };allow-transfer { localhost; CS-DNS-Servers; };allow-update { none; };};
BIND Configuration–named.confzone (4)
ExampleInnamed.hosts, there are plenty of A or CNAME recordsIn named.235.rev, there are plenty of PTR records
$ORIGIN235.113.140.in-addr.arpa.…131 IN PTR bsd1.cs.nctu.edu.tw.132 IN PTR bsd2.cs.nctu.edu.tw.133 IN PTR bsd3.cs.nctu.edu.tw.134 IN PTR bsd4.cs.nctu.edu.tw.135 IN PTR bsd5.cs.nctu.edu.tw.…
$ORIGINcs.nctu.edu.tw.…bsd1 IN A 140.113.235.131csbsd1 IN CNAME bsd1bsd2 IN A 140.113.235.132bsd3 IN A 140.113.235.133bsd4 IN A 140.113.235.134bsd5 IN A 140.113.235.135…
BIND Configuration–named.confzone (5)
Setting up root hintA cache of where are the DNS root serversSetting up forwarding zoneForward DNS query to specific name server, bypassing the standard query path
zone"."IN {type hint;file "named.root";};
zone "nctu.edu.tw" IN {type forward;forward first;forwarders { 140.113.250.135; 140.113.1.1; };};zone "113.140.in-addr.arpa" IN {type forward;forward first;forwarders { 140.113.250.135; 140.113.1.1; };};
BIND Debugging and Logging
Logging (1)
TermsChannelA place where messages can goEx: syslog, file or /dev/nullCategoryA class of messages that named can generateEx: answering queries or dynamic updatesModuleThe name of the source module that generates the messageFacilitysyslog facility nameSeverityPriority in syslogLogging configurationDefine what are the channelsSpecify where each message category should goWhen a message is generatedIt is assigned a “category”, a “module”, a “severity”It is distributed to all channels associated with its category
Logging (2)
The “logging” statementEither “file” or “syslog” in channel sub-statementsize:ex: 2048, 100k, 20m, 15g, unlimited, defaultfacility:ex: local0 ~ local7severity:critical, error, warning, notice, info, debug, dynamic
logging{channel_def;channel_def;…categorycategory_name{channel_name;channel_name;…};};
channelchannel_name{filepath[versionsnum|unlimited] [sizesiznum];syslogfacility;severityseverity;print-categoryyes|no;print-severityyes|no;print-timeyes|no;};
Logging (3)
Predefined channelsAvailable categories
Logging (4)
Example of logging statement
logging {channel security-log {file "/var/log/named/security.log" versions 5 size 10m;severity info;print-severity yes;print-time yes;};channel query-log {file "/var/log/named/query.log" versions 20 size 50m;severity info;print-severity yes;print-time yes;};category default {default_syslog;default_debug; };category general {default_syslog; };category security { security-log; };category client { query-log; };category queries { query-log; };categorydnssec{ security-log; };};
https://jal.tw/dns:bind_log
Debug
Named debug levelFrom 0 (debugging off) ~ 11 (most verbose output)% named -d2 (start named at level 2)%rndctrace (increase debugging level by 1)%rndctrace 3 (change debugging level to 3)%rndcnotrace(turn off debugging)Debug with “logging” statementDefine a channel that include a severity with “debug” keywordEx: severity debug 3All debugging messages up to level 3 will be sent to that particular channel
Tools
Tools–nslookup
Interactive and Non-interactiveNon-Interactive%nslookupcs.nctu.edu.tw.%nslookup–type=mx cs.nctu.edu.tw.%nslookup–type=ns cs.nctu.edu.tw. 140.113.1.1Interactive%nslookup> set all> set type=any> set server host> setlserverhost> set debug> set d2
28
csduty:~ -lwhsu-nslookup> set allDefault server: 140.113.235.107Address: 140.113.235.107#53Default server: 140.113.235.103Address: 140.113.235.103#53Default server: 140.113.1.1Address: 140.113.1.1#53Set options:novcnodebugnod2searchrecursetimeout = 0 retry = 3 port = 53querytype= A class = INsrchlist= cs.nctu.edu.tw/csie.nctu.edu.tw>
#pkginstallbind-tools
Tools– dig
Usage% dig cs.nctu.edu.tw% dig cs.nctu.edu.tw mx% dig @ns.nctu.edu.tw cs.nctu.edu.tw mx% dig -x 140.113.209.3Reverse query%dig +trace jal.tw% dig +dnssecjal.twFind out the root servers% dig @a.root-servers.net . ns
29
#pkginstallbind-tools
How to debug a name server
Trace from root%dig nstw.% dig ns idv.tw
tw. 86399 IN NS g.dns.tw.tw. 86399 IN NS d.dns.tw.tw. 86399 IN NS i.dns.tw.tw. 86399 IN NS ns.twnic.net.tw. 86399 IN NS b.dns.tw.tw. 86399 IN NS sec4.apnic.net.tw. 86399 IN NS h.dns.tw.tw. 86399 IN NS a.dns.tw.tw.86399 IN NS c.dns.tw.tw. 86399 IN NS f.dns.tw.tw. 86399 IN NS e.dns.tw.
idv.tw. 79726 IN NS a.twnic.net.tw.idv.tw. 79726 IN NS h.twnic.net.tw.idv.tw. 79726 IN NS f.twnic.net.tw.idv.tw. 79726 IN NS i.dns.tw.idv.tw. 79726 IN NS g.twnic.net.tw.idv.tw. 79726 IN NS e.twnic.net.tw.idv.tw. 79726 IN NS b.twnic.net.tw.idv.tw. 79726 IN NS d.twnic.net.tw.idv.tw. 79726 IN NS c.twnic.net.tw.idv.tw. 79726 IN NS sec4.apnic.net.
How to debug a name server – cont.
%dig ns nasa.idv.tw. @a.dns.tw.% dig ns nasa.idv.tw. @ns1.nasa.idv.tw.% dig ns nasa.idv.tw. @ns2.nasa.idv.tw.%dig ns nasa.idv.tw. @ns3.he.net.% dig any nasa.idv.tw. @ns1.nasa.idv.tw.% digsoanasa.idv.tw. @ns1.nasa.idv.tw.%digsoanasa.idv.tw. @ns2.nasa.idv.tw.% digsoanasa.idv.tw. @ns3.he.net.
nasa.idv.tw. 86400 IN NS ns1.nasa.idv.tw.nasa.idv.tw. 86400 IN NS ns2.nasa.idv.tw.nasa.idv.tw. 86400 IN NS ns3.he.net.
nasa.idv.tw. 86399 IN SOA nasa.idv.tw. pschiu.cs.nctu.edu.tw.20170301007200 600 1209600 2400
How to debug a name server – cont.
%digsoanasa.idv.tw. @8.8.8.8% digsoanasa.idv.tw. @168.95.1.1
nasa.idv.tw. 86399 IN SOA nasa.idv.tw. pschiu.cs.nctu.edu.tw.20170301007200 600 1209600 2400
nasa.idv.tw. 86399 IN SOA nasa.idv.tw. pschiu.cs.nctu.edu.tw.20170301007200 600 1209600 2400
Tools– host
host command% host cs.nctu.edu.tw.% host –t mx cs.nctu.edu.tw.% host 140.113.1.1% host –v 140.113.1.1
33
0
Embed
Upload