{{tag>Réseau DNS}}
= Notes DNS Bind9
Voir:
* CIS ISC BIND DNS Server Benchmark
Alternative à Bind :
* [[https://doc.ubuntu-fr.org/unbound|unbound]]
* PowerDNS
* [[https://en.wikipedia.org/wiki/Knot_DNS|Knot DNS]]
* [[https://coredns.io/|CoreDNS]] (cncf.io)
== Import / Export
Si le transfert de zone est activé
Dig gère directement
dig -t AXFR @127.0.0.1 acme.fr > /etc/bind/db.acme.fr
Si le transfert de zone n'est pas activé on peut toujours essayer
dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr
Possibilité de travailler un peu ça (script oneshot un peu pas beau, désolé)
''dig2bind.sh''
#! /bin/bash
TTL=$(dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |awk '{print $2}' |sort -u)
echo -e "\$TTL\t$TTL"
dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr |sed -e 's/^acme.fr./@/' | perl -p -e "s/$TTL// if /IN SOA/" | perl -p -e 's/\t+/\t/ if /IN SOA/'
dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |sed -e 's/^acme.fr./@/' |perl -p -e "s/$TTL//" |perl -p -e 's/.acme.fr.//g if /IN/' |perl -ne 'print unless $a{$_}++' | perl -p -e 's/\t+/\t/g' | grep -v SOA
bash dig2bind.sh > /etc/bind/db.acme.fr
== Slave
On slave
Port 53 must be open on Slave (if Notify)
''/etc/bind/named.conf.local''
zone "local" {
type slave;
masters { 192.168.15.211; }; // IP of master
allow-notify { 10.8.15.215; };
file "/var/lib/bind/db.local";
allow-transfer { none; } ;
};
On Master
''/etc/bind/named.conf.local''
zone "local" {
type master;
file "/etc/bind/db.local";
allow-transfer { localhost; 192.168.16.45; }; // IP of Slave
notify yes;
};
''/etc/bind/db.local''
@ IN NS ns1.local.
ns1 IN A 192.168.16.45
Change serial in db.local and reload
== Forwarder
Il peut-être nécessaire de modifier **allow-query**
''/etc/bind/named.conf.options''
forwarders {
80.67.169.12;
80.67.169.40;
};
allow-query { any; };
== Récursion
Voir http://www.coursnet.com/2014/12/les-requetes-dns-recursives-iteratives.html
''/etc/named.conf''
options {
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
/*
...
*/
};
== Désactiver IPV6
Si l'on n'utilise pas l’IPv6, on peut désactiver le protocole en éditant /etc/sysconfig/named
OPTIONS="-4"
Il faudra également ajouter une option à /etc/named.conf.
''/etc/named.conf''
options {
directory "/var/named";
filter-aaaa-on-v4 yes;
};
source : https://blog.microlinux.fr/bind-centos-7/
-------------------------
= Install DNS Server Bind9
== Notes
DNS use port TCP:53 and UDP:53
== Install
apt-get install bind9 bind9utils dnsutils
''/etc/bind/named.conf.local''
zone "local" {
type master;
file "/etc/bind/db.local";
allow-transfer { 10.8.16.47; };
notify yes;
};
''/etc/bind/db.local''
$TTL 604800
@ IN SOA dns.local. root.dns.local. (
2015121606 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
@ IN NS dns.local.
@ IN NS ns1.local.
@ IN A 10.8.15.215
dns IN A 10.8.15.215
ns1 IN A 10.8.16.47
bastion IN A 10.8.16.190
proxy IN CNAME bastion
ldap IN A 10.8.16.201
=== If server must forward
''/etc/bind/named.conf.options''
forwarders {
10.8.15.1;
};
allow-query { any; };
''/etc/bind/.gitignore''
*.key
*.keys
db.0
db.127
db.255
db.empty
db.local
db.root
== Reload
rndc reload
== Check
named-checkconf
named-checkzone local /etc/bind/db.local
#service bind9 reload
rndc reload local
service bind9 status
dig +short @127.0.0.1 bastion.local
== Configure GNU/Linux client
Infra VM
''/etc/resolv.conf''
#domain local
search local
#options rotate timeout:1 retries:1
#options edns0
nameserver 10.8.15.215
VPN clients
''/etc/resolv.conf''
#domain local
search local
#options rotate timeout:1 retries:1
nameserver 10.9.0.1
Prevent DHCP to change /etc/resolv.conf
chattr +i /etc/resolv.conf
lsattr /etc/resolv.conf
FIXME : A tester avec SystemD (/etc/systemd/resolved.conf)
On openvpn-it1 (DNS Slave)
''/etc/bind/named.conf.local''
zone "local" {
type slave;
masters { 10.8.15.215; };
allow-notify { 10.8.15.215; };
file "/var/lib/bind/db.local";
allow-transfer { 10.9.0.21; } ;
};
== Autres
for fqdn in $(rgrep 192.168.10.22 /etc/bind/zones |sed -e 's%^/etc/bind/zones/%%' -e 's%.db%%' |awk '{print $1}' |awk -F':' '{print $2 "." $1 }' |sed -e 's%^@.%%' |sort -n) ; do host $fqdn ; done |grep 'has address 192.168.10.22' |awk '{print $1}'
Get TTL
dig +ttlunits +noall +answer @127.0.0.1 example.org