Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Notes DNS Bind9
Import / Export
Si le transfert de zone est activé
Dig gère directement
dig -t AXFR @127.0.0.1 acme.fr > /etc/bind/db.acme.fr
Si le transfert de zone n'est pas activé on peut toujours essayer
dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr
Possibilité de travailler un peu ça (script oneshot un peu pas beau, désolé)
dig2bind.sh
#! /bin/bash TTL=$(dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |awk '{print $2}' |sort -u) echo -e "\$TTL\t$TTL" dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr |sed -e 's/^acme.fr./@/' | perl -p -e "s/$TTL// if /IN SOA/" | perl -p -e 's/\t+/\t/ if /IN SOA/' dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |sed -e 's/^acme.fr./@/' |perl -p -e "s/$TTL//" |perl -p -e 's/.acme.fr.//g if /IN/' |perl -ne 'print unless $a{$_}++' | perl -p -e 's/\t+/\t/g' | grep -v SOA
bash dig2bind.sh > /etc/bind/db.acme.fr
Slave
On slave
Port 53 must be open on Slave (if Notify)
/etc/bind/named.conf.local
zone "local" { type slave; masters { 192.168.15.211; }; // IP of master allow-notify { 10.8.15.215; }; file "/var/lib/bind/db.local"; allow-transfer { none; } ; };
On Master
/etc/bind/named.conf.local
zone "local" { type master; file "/etc/bind/db.local"; allow-transfer { localhost; 192.168.16.45; }; // IP of Slave notify yes; };
/etc/bind/db.local
@ IN NS ns1.local. ns1 IN A 192.168.16.45
Change serial in db.local and reload
Forwarder
Il peut-être nécessaire de modifier allow-query
/etc/bind/named.conf.options
forwarders { 80.67.169.12; 80.67.169.40; }; allow-query { any; };
Récursion
Voir http://www.coursnet.com/2014/12/les-requetes-dns-recursives-iteratives.html
/etc/named.conf
options { /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion no; /* ... */ };
Désactiver IPV6
Si l'on n'utilise pas l’IPv6, on peut désactiver le protocole en éditant /etc/sysconfig/named
OPTIONS="-4"
Il faudra également ajouter une option à /etc/named.conf.
/etc/named.conf
options { directory "/var/named"; filter-aaaa-on-v4 yes; };
source : https://blog.microlinux.fr/bind-centos-7/
Install DNS Server Bind9
Notes
DNS use port TCP:53 and UDP:53
Install
apt-get install bind9 bind9utils dnsutils
/etc/bind/named.conf.local
zone "local" { type master; file "/etc/bind/db.local"; allow-transfer { 10.8.16.47; }; notify yes; };
/etc/bind/db.local
$TTL 604800 @ IN SOA dns.local. root.dns.local. ( 2015121606 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; minimum (1 day) ) @ IN NS dns.local. @ IN NS ns1.local. @ IN A 10.8.15.215 dns IN A 10.8.15.215 ns1 IN A 10.8.16.47 bastion IN A 10.8.16.190 proxy IN CNAME bastion ldap IN A 10.8.16.201
If server must forward
/etc/bind/named.conf.options
forwarders { 10.8.15.1; }; allow-query { any; };
/etc/bind/.gitignore
*.key *.keys db.0 db.127 db.255 db.empty db.local db.root
Reload
rndc reload
Check
named-checkconf named-checkzone local /etc/bind/db.local #service bind9 reload rndc reload local service bind9 status dig +short @127.0.0.1 bastion.local
Configure GNU/Linux client
Infra VM
/etc/resolv.conf
#domain local search local #options rotate timeout:1 retries:1 #options edns0 nameserver 10.8.15.215
VPN clients
/etc/resolv.conf
#domain local search local #options rotate timeout:1 retries:1 nameserver 10.9.0.1
Prevent DHCP to change /etc/resolv.conf
chattr +i /etc/resolv.conf lsattr /etc/resolv.conf
: A tester avec SystemD (/etc/systemd/resolved.conf)
On openvpn-it1 (DNS Slave)
/etc/bind/named.conf.local
zone "local" { type slave; masters { 10.8.15.215; }; allow-notify { 10.8.15.215; }; file "/var/lib/bind/db.local"; allow-transfer { 10.9.0.21; } ; };
Autres
for fqdn in $(rgrep 192.168.10.22 /etc/bind/zones |sed -e 's%^/etc/bind/zones/%%' -e 's%.db%%' |awk '{print $1}' |awk -F':' '{print $2 "." $1 }' |sed -e 's%^@.%%' |sort -n) ; do host $fqdn ; done |grep 'has address 192.168.10.22' |awk '{print $1}'
Get TTL
dig +ttlunits +noall +answer @127.0.0.1 example.org
Notes DNS - SystemD - systemd-resolved
Install cache DNS
mkdir /etc/systemd/resolved.conf.d/ chmod 755 /etc/systemd/resolved.conf.d/
Pour RedHat 9
dnf install systemd-resolved
/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve] DNS=8.8.8.8 8.8.4.4 Domains=acme.local dev.local FallbackDNS= # Work on RedHat 9. Before 'no-negative' is ignored, Default is 'yes' Cache=no-negative #StaleRetentionSec=SECONDS # Fix bug 10 seconds timeout shortname resolution. Ex : '/usr/bin/host plop' LLMNR=no # Useless / not yet used MulticastDNS=no DNSSEC=no DNSOverTLS=no
chmod 644 /etc/systemd/resolved.conf.d/dns_servers.conf sysctemctl enable --now systemd-resolved.service cp -p /etc/resolv.conf /etc/resolv.conf.bak ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl status systemd-resolved resolvectl statistics
Notes DNS - serveur - Resolver
Dnsmasq
Voir aussi :
Multiple DNS Servers with specific domains
/etc/dnsmasq.conf
server=/domain.net/172.166.7.23 server=/domain.com/142.124.17.12
SystemD - systemd-resolved - NetworkManager
Configs différentes par carte réseau
systemctl --now enable systemd-resolved
/etc/NetworkManager/NetworkManager.conf
[main] dns=systemd-resolved
systemctl reload NetworkManager
Définir ipv4.dns-search et/ou ipv6.dns-search
sudo resolvectl
Notes DNS - Dnsmasq
Voir aussi :
Voir :
Stephane Bortzmeyer sur son blog https://www.bortzmeyer.org/9267.html : « Les cas sont nombreux, par exemple SIGRed (CVE-2020-1350) ou DNSpooq (CVE-2020-25681 à CVE-2020-25687). Ces problèmes frappent notamment souvent dnsmasq (personnellement, je n'ai jamais compris pourquoi ce logiciel était si utilisé, mais c'est une autre histoire). »
Install
yum install dnsmasq
Conf pour Cache en local
/etc/dnsmasq.conf
domain-needed bogus-priv interface=lo bind-interfaces listen-address=127.0.0.1 cache-size=1000 resolv-file=/etc/resolv.dnsmasq no-poll no-negcache #neg-ttl=3600 #no-hosts ## log host queries #log-queries #log-facility=/var/log/dnsmasq.log
/etc/resolv.dnsmasq
nameserver 8.8.8.8 nameserver 8.8.4.4
/etc/resolv.conf
nameserver 127.0.0.1 options edns0