Directing DNS

This document is created by Nguyen Hoang Chi [email protected]

 Objectives covered

207.1 Basic DNS server configuration (w:3)

207.2 Create and maintain DNS zones (w:3)

207.3 Securing a DNS server (w:2)

2
This document is created by Nguyen Hoang Chi [email protected]
 1 Configuring a DNS Server

This document is created by Nguyen Hoang Chi [email protected]

 Understand DNS

4
This document is created by Nguyen Hoang Chi [email protected]
 Understand DNS

5
This document is created by Nguyen Hoang Chi [email protected]
 Understand DNS

6
This document is created by Nguyen Hoang Chi [email protected]
 DNS softwares

pdnsd
dnsmasq

7
This document is created by Nguyen Hoang Chi [email protected]
 Installing bind

8
This document is created by Nguyen Hoang Chi [email protected]
 Bind services and daemons
Red Hat based Debian based

9
This document is created by Nguyen Hoang Chi [email protected]
 Bind configuration files

10
This document is created by Nguyen Hoang Chi [email protected]
 Bind zone database files
Red Hat based Debian based

11
This document is created by Nguyen Hoang Chi [email protected]
 Configure Bind
1. Modify the /etc/named.conf or /etc/named.conf.option

2. Check the named.conf syntax

3. Start the dns server

OR

12
This document is created by Nguyen Hoang Chi [email protected]
 Configure dnsclient to resolve

Red Hat based Debian based

13
This document is created by Nguyen Hoang Chi [email protected]
 Working with bind – traditional methods

14
This document is created by Nguyen Hoang Chi [email protected]
 Working with bind – rndc

15
This document is created by Nguyen Hoang Chi [email protected]
 Bind logging
Config in named.conf file

Channel

• controls where messages are logged

and filters what is logged

Category

• defines DNS message types to be

logged

16
This document is created by Nguyen Hoang Chi [email protected]
 Bind logging - channels

17
This document is created by Nguyen Hoang Chi [email protected]
 Bind logging - categories

18
This document is created by Nguyen Hoang Chi [email protected]
 Create and maintain
2
DNS zones

This document is created by Nguyen Hoang Chi [email protected]

 Zone configuration files

Zone types

20
This document is created by Nguyen Hoang Chi [email protected]
 Zone databases
Default zone databases located in either the /var/named/ directory or the
/etc/bind/ directory, depending on your server’s distribution

21
This document is created by Nguyen Hoang Chi [email protected]
 Zone transfer

Reasons for Zone transfers

o The secondary server’s BIND daemon has started or restarted.

o The zone data’s refresh time has expired
o The master server (designated by the named.conf file’s allow-
notify directive) has sent the secondary server a DNS zone
change notification.
o A zone data refresh was requested manually via the rndc utility

22
This document is created by Nguyen Hoang Chi [email protected]
 Zone data - directives
$ORIGIN
The $ORIGIN directive sets a domain name that is added to any file record’s end that does
not have a full domain name. The general syntax is
$ORIGIN domain-name. [comment]

$INCLUDE
The $INCLUDE directive operates just like the include statement in a zone configuration
file. It reads in the designated file and processes any directives or resource records in the
file. The general syntax is as follows:
$INCLUDE filename [origin] [comment]

$TTL
The $TTL directive sets the default time to live (TTL), which determines how long name
server data for a particular resolution is held in cache. The general syntax is
$TTL seconds [comment]

23
This document is created by Nguyen Hoang Chi [email protected]
 Zone data – resource record types

24
This document is created by Nguyen Hoang Chi [email protected]
 Zone data – example

25
This document is created by Nguyen Hoang Chi [email protected]
 Reverse zone

26
This document is created by Nguyen Hoang Chi [email protected]
 Checking zone files

27
This document is created by Nguyen Hoang Chi [email protected]
 Managing Bind zones - Delegating
Steps to delegating LPIC2.example.com zone to LPIC2.example.com server

Edit the named config on the parent zone name server

28
This document is created by Nguyen Hoang Chi [email protected]
 Managing Bind zones – Troubleshooting

29
This document is created by Nguyen Hoang Chi [email protected]
 Managing Bind zones – Troubleshooting

30
This document is created by Nguyen Hoang Chi [email protected]
 Managing Bind zones – Troubleshooting

31
This document is created by Nguyen Hoang Chi [email protected]
 Managing Bind zones – Troubleshooting

32
This document is created by Nguyen Hoang Chi [email protected]
 3 Securing a DNS server

This document is created by Nguyen Hoang Chi [email protected]

 Basic Bind security
Keep BIND software current

Hide BIND information

Consider various views

Split DNS server

Run only Bind

Run Bind as a non-root user

Control zone updates

34
This document is created by Nguyen Hoang Chi [email protected]
 Jailing Bind
Steps to manually config chroot jail Bind Steps to chroot jail with bind-chroot

35
This document is created by Nguyen Hoang Chi [email protected]
 DNSSEC

36
This document is created by Nguyen Hoang Chi [email protected]
 DNSSEC

Authenticated answer flag DNSSEC ok flag 37

This document is created by Nguyen Hoang Chi [email protected]
 DNSSEC – Signing your zone
Steps to sign zone

38
This document is created by Nguyen Hoang Chi [email protected]
 Transaction Signature (TSIG)

39
This document is created by Nguyen Hoang Chi [email protected]
 DANE (DNS based Authentication Named Entities)

40
This document is created by Nguyen Hoang Chi [email protected]
 THANKS!
ANY QUESTIONS?

41
This document is created by Nguyen Hoang Chi [email protected]