This shows you the differences between two versions of the page.
en:linux:dns [2010/03/07 09:41] matthieu created |
en:linux:dns [2011/12/13 23:43] (current) matthieu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== DNS Server ====== | + | {{tag>en en:linux en:server en:dns en:ipv6}} |
- | Bind (Berkeley Internet Name Domain) is the most popular DNS server over Internet. It can be used for serving a primary dns but also for a simple DNS cache server. | + | |
+ | ====== Bind ====== | ||
+ | Bind (Berkeley Internet Name Domain) is a popular DNS server. It can be used to host a master zone or simply as a DNS cache. | ||
===== Installation ===== | ===== Installation ===== | ||
Line 6: | Line 8: | ||
* bind9 | * bind9 | ||
- | ===== Settings ===== | + | Configuration files are located into ///etc/bind///. |
- | Configuration files are located inside ///etc/bind///.\\ | + | |
- | By default, the daemon acts as a proxy and send requests to the DNS roots. | + | |
- | ==== Add a local zone ==== | + | To make the operating system use bind localy, change ///etc/resolv.conf// to : |
+ | nameserver 127.0.0.1 | ||
+ | |||
+ | ===== Use Bind of Internet resolution ===== | ||
+ | ==== Direct root server access ==== | ||
+ | By default bind is configured as a DNS proxy, requesting directly the DNS root servers. This configuration is independent of provider's DNS. | ||
- | The following example describes how to add a local zone : | + | Default configuration inside //named.conf.default-zones// : |
+ | <code bind> | ||
+ | // prime the server with knowledge of the root servers | ||
+ | zone "." { | ||
+ | type hint; | ||
+ | file "/etc/bind/db.root"; | ||
+ | }; | ||
+ | </code> | ||
- | We fist need to create a local zone file to define records, for example ///etc/bind/db.priv.bouthors.fr// : | + | ==== Forwarding ==== |
+ | It is also possible to forward requests to another DNS server. | ||
+ | |||
+ | Configuration example to add into //named.conf.local// : | ||
+ | <code bind> | ||
+ | zone "." { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { 192.168.10.10; } ; | ||
+ | }; | ||
+ | </code> | ||
+ | |||
+ | ===== Forwarding for only one domain ===== | ||
+ | Configuration example to forward only one domain : | ||
<file> | <file> | ||
- | ; | + | zone "thisdomain.com" { |
- | ; BIND data file for local loopback interface | + | type forward; |
- | ; | + | forward only; |
- | $TTL 604800 | + | forwarders { 10.0.10.11; 10.0.10.12; } ; |
- | @ IN SOA bender.priv.bouthors.fr. matthieu.priv.bouthors.fr. ( | + | }; |
- | 1 ; Serial | + | |
- | 604800 ; Refresh | + | |
- | 86400 ; Retry | + | |
- | 2419200 ; Expire | + | |
- | 604800 ) ; Negative Cache TTL | + | |
- | ; | + | |
- | @ NS bender.priv.bouthors.fr. | + | |
- | @ MX 5 bender.priv.bouthors.fr. | + | |
- | @ A 192.168.10.1 | + | |
- | portable CNAME nibbler.priv.bouthors.fr. | + | |
- | bender A 192.168.10.1 | + | |
- | fry A 192.168.10.10 | + | |
- | smitty A 192.168.10.254 | + | |
- | leela A 192.168.10.11 | + | |
- | nibbler A 192.168.11.10 | + | |
</file> | </file> | ||
- | Then we create the reverse DNS file, for example ///etc/bind/db.192.168// : | + | ===== Creating a master zone ===== |
- | <file> | + | It is one of the main function or Bind : create a public or private zone.\\ |
- | ; | + | This task is done in two steps : |
- | ; BIND reverse data file for local loopback interface | + | - Creating a zone file |
- | ; | + | - Enabling this zone |
- | $TTL 604800 | + | |
- | @ IN SOA bender.priv.bouthors.fr. matthieu.priv.bouthors.fr. ( | + | The following example show the configuration of bouthors.fr. |
- | 1 ; Serial | + | |
- | 604800 ; Refresh | + | The file below is the zone file for bouthors.fr, saved into //db.bouthors.fr// : |
- | 86400 ; Retry | + | <file bind> |
- | 2419200 ; Expire | + | $ORIGIN . |
- | 604800 ) ; Negative Cache TTL | + | $TTL 300 ; 5 minutes |
- | ; | + | bouthors.fr IN SOA dc1.bouthors.fr. matthieu.bouthors.fr. ( |
- | @ NS bender.priv.bouthors.fr. | + | 1110210001 ; serial |
- | 1.10 PTR bender.priv.bouthors.fr. | + | 604800 ; refresh (1 week) |
- | 254.10 PTR smitty.priv.bouthors.fr. | + | 86400 ; retry (1 day) |
- | 10.10 PTR fry.priv.bouthors.fr. | + | 2419200 ; expire (4 weeks) |
- | 11.10 PTR leela.priv.bouthors.fr. | + | 300 ; minimum (5 minutes) |
- | 10.11 PTR nibbler.priv.bouthors.fr. | + | ) |
- | 254.11 PTR smitty.priv.bouthors.fr. | + | NS dc1.bouthors.fr. |
- | 254.12 PTR smitty.priv.bouthors.fr. | + | A 88.174.63.25 |
+ | MX 10 mail.bouthors.fr. | ||
+ | $ORIGIN bouthors.fr. | ||
+ | matthieu CNAME www | ||
+ | www A 88.174.63.25 | ||
+ | mail CNAME ghs.google.com. | ||
+ | dc1 A 88.174.63.25 | ||
</file> | </file> | ||
+ | A zone file is composed by several records of different types (SOA, NS, A, MX, ...). In details : | ||
+ | * $ORIGIN defines the suffix for the following lines | ||
+ | * $TTL defines the caching duration for the following lines | ||
+ | * SOA (Start of Authority) is mandatory, it starts the zone definition : | ||
+ | * dc1.bouthors.fr is the autoritative server of the zone (Primary Master) | ||
+ | * matthieu.bouthors.fr is the admin email with a "." instead of "@" | ||
+ | * 20111021001 is the serial number, which allow to do versioning. This number should be increased at each modification. | ||
+ | * the following values are the expiration length (seconds) : | ||
+ | * refresh, retry and expire are used for secondary servers synchronization | ||
+ | * minimum (300) is important, it defines the cache duration for negative answers | ||
+ | * A records define an IP resolution. For example www.bouthors.fr will be resolve by 88.174.63.25 | ||
+ | * CNAME records define redirections to other records | ||
+ | * NS records define DNS servers | ||
+ | * MX records define mail relays of the domain (nom@bouthors.fr). If several records are used, lower weighted will be selected first. If they have the same weight, load sharing will be used. | ||
- | Finally, we add the zones to Bind, by editing ///etc/bind/named.conf.local// : | + | Please note that text records are relative to the current zone, you can add a "." at the end to make them absolute. |
+ | |||
+ | Then, to register the new zone into Bind, update the file ///etc/bind/named.conf.local// : | ||
<file> | <file> | ||
+ | zone "bouthors.fr" { | ||
+ | type master; | ||
+ | file "/etc/bind/db.bouthors.fr"; | ||
+ | }; | ||
+ | </file> | ||
- | // Do any local configuration here | + | Bind needs to be restarted to apply the changes : |
- | // | + | /etc/init.d/bind9 restart |
- | // Consider adding the 1918 zones here, if they are not used in your | + | ===== Create a sub zone ===== |
- | // organization | + | To add a sub zone, the steps are quite similar to the primary zone configuration : |
- | //include "/etc/bind/zones.rfc1918"; | + | - create a zone file |
+ | - register the zone file into bind | ||
+ | - update the top zone : | ||
+ | - add NS records for the DNS servers of the sub zone | ||
+ | - add glue records if needed | ||
- | zone "priv.bouthors.fr" { | + | Example of the sub zone for ddns.bouthors.fr which is dedicated to dynamic records. |
+ | |||
+ | Zone file : | ||
+ | <code> | ||
+ | $ORIGIN . | ||
+ | $TTL 300 ; 5 minutes | ||
+ | ddns.bouthors.fr IN SOA dc1.bouthors.fr. matthieu.bouthors.fr. ( | ||
+ | 2011102303 ; serial | ||
+ | 3600 ; refresh (1H) | ||
+ | 1200 ; retry (20m) | ||
+ | 2419200 ; expire (4 weeks) | ||
+ | 180 ; minimum (3 minutes) | ||
+ | ) | ||
+ | NS dc1.bouthors.fr. | ||
+ | </code> | ||
+ | |||
+ | Zone registration into //named.conf.local// : | ||
+ | <code> | ||
+ | zone "ddns.bouthors.fr" { | ||
type master; | type master; | ||
- | file "/etc/bind/db.priv.bouthors.fr"; | + | file "/etc/bind/db.ddns.bouthors.fr"; |
}; | }; | ||
+ | </code> | ||
+ | |||
+ | Update of the top zone : | ||
+ | <code> | ||
+ | $ORIGIN . | ||
+ | $TTL 300 ; 5 minutes | ||
+ | bouthors.fr IN SOA dc1.bouthors.fr. matthieu.bouthors.fr. ( | ||
+ | 1110210001 ; serial | ||
+ | 604800 ; refresh (1 week) | ||
+ | 86400 ; retry (1 day) | ||
+ | 2419200 ; expire (4 weeks) | ||
+ | 300 ; minimum (5 minutes) | ||
+ | ) | ||
+ | NS dc1.bouthors.fr. | ||
+ | ddns.bouthors.fr. NS dc1.bouthors.fr. | ||
+ | </code> | ||
+ | |||
+ | If DNS servers are part of the sub zone (for example if the dns server of ddns.bouthors.fr would be dc1.ddns.bouthors.fr), then there is a loop : DNS servers of ddns.bouthors.fr are required to resolve dc1.ddns.bouthors.fr. In this case, we need to add glue records : dc1.ddns.bouthors.fr will be addded to the top zone bouthors.fr. For example : | ||
+ | dc1.ddns.bouthors.fr. NS 192.168.10.2 | ||
+ | |||
+ | ===== Create a reverse DNS zone ===== | ||
+ | To add your own reverse DNS zone, create a zone fine. For example //db.192.168// : | ||
+ | |||
+ | <file> | ||
+ | $ORIGIN . | ||
+ | $TTL 60 ; 1 minute | ||
+ | 168.192.in-addr.arpa IN SOA dc1.bouthors.fr. matthieu.bouthors.fr. ( | ||
+ | 1110210001 ; serial | ||
+ | 604800 ; refresh (1 week) | ||
+ | 86400 ; retry (1 day) | ||
+ | 2419200 ; expire (4 weeks) | ||
+ | 60 ; minimum (1 minute) | ||
+ | ) | ||
+ | NS dc1.bouthors.fr. | ||
+ | $ORIGIN 10.168.192.in-addr.arpa. | ||
+ | 1 PTR rt1.bouthors.fr. | ||
+ | 2 PTR dc1.bouthors.fr. | ||
+ | </file> | ||
+ | Then register this zone into //named.conf.local// : | ||
+ | <code> | ||
zone "168.192.in-addr.arpa" { | zone "168.192.in-addr.arpa" { | ||
type master; | type master; | ||
file "/etc/bind/db.192.168"; | file "/etc/bind/db.192.168"; | ||
}; | }; | ||
- | </file> | + | </code> |
- | Of course, we need to restart bind to apply the modifications : | + | ===== Add a secondary DNS server ===== |
- | /etc/init.d/bind9 restart | + | The goal of the secondary server is to improve the availability of the service. Moreover it is required for any public DNS.\\ |
+ | When the primary DNS is updated, the secondary servers will be informed and will update their zone.\\ | ||
+ | The serial number of the zone is used to identify the version of the zone, so it should be increased at each modification. | ||
- | ==== Add a forwarding ==== | + | By default, a primary server will notify and allow transferts to all servers defined as NS records.\\ |
- | To forward a specific domain to another server, add this in ///etc/bind/named.conf.local// : | + | But you can also configure this parameters manually, for example : |
+ | <code> | ||
+ | zone "bouthors.fr" { | ||
+ | type master; | ||
+ | file "/etc/bind/db.bouthors.fr"; | ||
+ | allow-transfer {192.168.10.3;}; | ||
+ | also-notify {192.168.10.3;}; | ||
+ | }; | ||
+ | </code> | ||
- | <file> | + | On the secondary server, the slave zone definition is quite simple : |
- | zone "thisdomain.com" { | + | <code> |
- | type forward; | + | zone "bouthors.fr" { |
- | forward only; | + | type slave; |
- | forwarders { 10.0.10.11; 10.0.10.12; } ; | + | file "/var/cache/bind/db.bouthors.fr"; |
+ | masters {192.168.10.2;}; | ||
}; | }; | ||
- | </file> | + | </code> |
+ | Please choice a writable folder and define the IP of the master DNS. | ||
+ | ===== Allowing dynamic updates ===== | ||
+ | Dynamic updates (aka Dynamic DNS or DDNS) allow to update dynamically records.\\ | ||
+ | This is useful for computers using DHCP. | ||
+ | Updates can be sent by DHCP clients or servers. DHCP server updates are better because records can be removed when the IP allocation is over. | ||
- | ===== Backup ===== | + | **:!: Very important : when a zone is configured to allow dynamic updates, a journal file is created to save updates temporary. Direct edition of the zone file is not possible anymore.**\\ |
- | * zone files : | + | You need to use one of the following method : |
- | * /etc/bind/db.priv.bouthors.fr | + | * use the nsupdate command to send an update manually with the DDNS protocol |
- | * /etc/bind/db.192.168 | + | * stop the dynamics updates with "rndc freeze zone" while editing the zone file |
- | * /etc/bind/named.conf.local | + | |
+ | Before activating the dynamic updates, check that Bind can write into /etc/bind for journal files creation : | ||
+ | chown bind /etc/bind | ||
+ | |||
+ | Add updates authorization for the zone with allow-update : | ||
+ | <code> | ||
+ | zone "ddns.bouthors.fr" { | ||
+ | type master; | ||
+ | file "/etc/bind/db.ddns.bouthors.fr"; | ||
+ | allow-update { 192.168.10.2;192.168.10.3;}; | ||
+ | }; | ||
+ | </code> | ||
+ | |||
+ | After the restart of Bind, test the DDNS with nsupdate : | ||
+ | <code> | ||
+ | # nsupdate | ||
+ | > server 192.168.10.2 | ||
+ | > zone ddns.bouthors.fr | ||
+ | > update add test.ddns.bouthors.fr. 300 IN A 192.168.10.150 | ||
+ | > send | ||
+ | > quit | ||
+ | |||
+ | # nslookup test.ddns.bouthors.fr | ||
+ | Server: 192.168.10.2 | ||
+ | Address: 192.168.10.2#53 | ||
+ | |||
+ | Name: test.ddns.bouthors.fr | ||
+ | Address: 192.168.1.111 | ||
+ | Name: test.ddns.bouthors.fr | ||
+ | Address: 192.168.10.150 | ||
+ | |||
+ | # | ||
+ | </code> | ||
+ | |||
+ | To block updates while editing the zone file, use "rndc freeze zone" and "rndc unfreeze zone", for example : | ||
+ | <code> | ||
+ | # rndc freeze ddns.bouthors.fr | ||
+ | # vi /etc/bind/db.ddns.bouthors.fr | ||
+ | # rndc unfreeze ddns.bouthors.fr | ||
+ | A zone reload and thaw was started. | ||
+ | Check the logs to see the result. | ||
+ | # | ||
+ | </code> | ||
+ | |||
+ | **:!: It is higly recommended to secure the updates with TSIG because it is really easy to usurp DNS updates.** | ||
+ | |||
+ | ===== Configure TSIG ===== | ||
+ | Il est possible de sécuriser les échanges entre serveurs (update, transfert) avec TSIG.\\ | ||
+ | Les étapes sont : | ||
+ | - générer une clef | ||
+ | - configurer cette clef sur les deux serveurs | ||
+ | |||
+ | La génération de la clef se fait avec la commande dnssec-keygen (remplacer dc1-dc2 par les noms de vos serveurs) : | ||
+ | dnssec-keygen -a hmac-md5 -b 128 -n HOST dc1-dc2 | ||
+ | |||
+ | :!: Sous VMWare le résultat n'arrive pas rapidement (cf bug https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/650721), le plus simple est de générer de l'activité disque par exemple avec "find /"). | ||
+ | |||
+ | Deux fichiers sont alors créés avec les extensions .key et .private, nous allons uniquement utiliser la clef présente à la ligne "Key:" dans le fichier .private : | ||
+ | <code> | ||
+ | Private-key-format: v1.2 | ||
+ | Algorithm: 157 (HMAC_MD5) | ||
+ | Key: 0jnu3SdsMvzzlmTDPYRceA== | ||
+ | Bits: AAA= | ||
+ | </code> | ||
+ | |||
+ | Il faut ensuite déclarer cette clef sur les deux serveurs, par exemple sur le master : | ||
+ | <code> | ||
+ | |||
+ | key dc1-dc2 { | ||
+ | algorithm hmac-md5; | ||
+ | secret "0jnu3SdsMvzzlmTDPYRceA=="; | ||
+ | }; | ||
+ | |||
+ | server 192.168.10.3 { | ||
+ | keys {dc1-dc2;}; | ||
+ | }; | ||
+ | |||
+ | zone "bouthors.fr" { | ||
+ | type master; | ||
+ | file "/etc/bind/db.bouthors.fr"; | ||
+ | allow-transfer { key dc1-dc2 ;}; | ||
+ | also-notify {192.168.10.3;}; | ||
+ | allow-update { key dc1-dc2 ;}; | ||
+ | }; | ||
+ | </code> | ||
+ | |||
+ | Sur le slave : | ||
+ | <code> | ||
+ | |||
+ | key dc1-dc2 { | ||
+ | algorithm hmac-md5; | ||
+ | secret "0jnu3SdsMvzzlmTDPYRceA=="; | ||
+ | }; | ||
+ | |||
+ | server 192.168.10.2 { | ||
+ | keys {dc1-dc2;}; | ||
+ | }; | ||
+ | </code> | ||
+ | |||
+ | Enfin, il est conseillé de sécuriser la configuration en supprimant les fichiers .key et .private et en supprimant l'accès à //named.conf.local// : | ||
+ | chmod o-r named.conf.local | ||
+ | |||
+ | ===== IPv6 ===== | ||
+ | :!: Communiquer via IPv6 et fournir des réponses IPv6 sont deux problématiques distinctes. Nous traitons ici de la résolution des noms DNS par des adresses IPv6. | ||
+ | |||
+ | L'annonce d'adresses IPv6 dans le DNS est très simple, il suffit d'ajouter des enregistrements de type AAAA dans la zone. Exemple : | ||
+ | web3 AAAA 2001:470:c981::24 | ||
+ | |||
+ | Il est également possible de paramétrer une zone de résolution inverse.\\ | ||
+ | Attention à bien respecter la notation reverse, chaque caractère hexadécimal est séparé par un point. Exemples : | ||
+ | * 2001:470:c981:: => 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa. | ||
+ | * 2001:470:c981::24 => 4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa. | ||
+ | |||
+ | Pour effectuer la transformation, utiliser la commande dig : | ||
+ | <code> | ||
+ | dig -x 2001:470:c981::24 | ||
+ | |||
+ | ... | ||
+ | ;; QUESTION SECTION: | ||
+ | ;4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | |||
+ | Dans l'exemple suivant, nous allons créer une zone reserve pour le réseau 2001:470:c981::/48 | ||
+ | |||
+ | Il faut tout d'abord créer un nouveau fichier de zone ///etc/bind/db.2001_470_c981// : | ||
+ | <code> | ||
+ | $ORIGIN . | ||
+ | $TTL 60 ; 1 minute | ||
+ | 1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa. IN SOA dc1.bouthors.fr. matthieu.bouthors.fr. ( | ||
+ | 2011102301 ; serial | ||
+ | 604800 ; refresh (1 week) | ||
+ | 86400 ; retry (1 day) | ||
+ | 2419200 ; expire (4 weeks) | ||
+ | 60 ; minimum (1 minute) | ||
+ | ) | ||
+ | NS dc1.bouthors.fr. | ||
+ | $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa. | ||
+ | 2.0 PTR dc1.bouthors.fr. | ||
+ | 3.0 PTR dc2.bouthors.fr. | ||
+ | </code> | ||
+ | |||
+ | Puis ajouter la nouvelle zone à //named.conf.local// : | ||
+ | <code> | ||
+ | zone "1.8.9.c.0.7.4.0.1.0.0.2.ip6.arpa" { | ||
+ | type master; | ||
+ | file "/etc/bind/db.2001_470_c981"; | ||
+ | allow-transfer { key dc1-dc2;}; | ||
+ | also-notify {192.168.10.3;}; | ||
+ | }; | ||
+ | </code> | ||
+ | |||
+ | :!: Remarque : la zone reverse IPv6 étant généralement publique, elle peut être synchronisée et annoncée comme les zones forward. | ||
+ | |||
+ | ===== Local network configuration ===== | ||
+ | Look at [[en:reseau]] | ||
+ | |||
+ | |||
+ | ===== Backup ===== | ||
+ | * /etc/bind/* | ||
===== Links ===== | ===== Links ===== | ||
- | * [[bender]] | + | * http://www.isc.org/software/bind |
- | * http://www.isc.org/index.pl?/sw/bind/ | + | |
* http://www.freeos.com/articles/3956/ | * http://www.freeos.com/articles/3956/ | ||
+ | * http://doc.ubuntu-fr.org/bind9 | ||
+ | * http://www.zytrax.com/books/dns/ch7/xfer.html | ||
+ | * http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html | ||
+ | * http://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/ | ||