AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : notes_git_annex notes_ansible_plugins notes_-_kubernetes python_flask_gunicorn_-_alternative_a_cgi notes_git_svn diagramme_gnu_linux notes_-_nerdctl notes_dinit notes_prometheus notes_dns_bind9
tech:notes_dns_bind9

Ceci est une ancienne révision du document !

Table des matières

,

Notes DNS Bind9

Voir:

  • CIS ISC BIND DNS Server Benchmark

Alternative à Bind :

Import / Export

Si le transfert de zone est activé

Dig gère directement 

dig -t AXFR @127.0.0.1 acme.fr  > /etc/bind/db.acme.fr

Si le transfert de zone n'est pas activé on peut toujours essayer 

dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr

Possibilité de travailler un peu ça (script oneshot un peu pas beau, désolé)

dig2bind.sh
#! /bin/bash
 
TTL=$(dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |awk '{print $2}' |sort -u)
 
 
echo -e "\$TTL\t$TTL"
 
dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr |sed -e 's/^acme.fr./@/' | perl -p -e "s/$TTL// if /IN SOA/" | perl -p -e 's/\t+/\t/ if /IN SOA/'
 
dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |sed -e 's/^acme.fr./@/' |perl -p -e "s/$TTL//" |perl -p -e 's/.acme.fr.//g if /IN/' |perl -ne 'print unless $a{$_}++' | perl -p -e 's/\t+/\t/g' | grep -v SOA
bash dig2bind.sh  > /etc/bind/db.acme.fr

Slave

On slave

Port 53 must be open on Slave (if Notify)

/etc/bind/named.conf.local
zone "local" {
  type slave;
  masters { 192.168.15.211; }; // IP of master
  allow-notify { 10.8.15.215; };
  file "/var/lib/bind/db.local";
  allow-transfer { none; } ;
};

On Master

/etc/bind/named.conf.local
zone "local" {
        type master; 
        file "/etc/bind/db.local";
        allow-transfer { localhost; 192.168.16.45; }; // IP of Slave
        notify yes;
};
/etc/bind/db.local
@               IN      NS      ns1.local.
ns1             IN      A       192.168.16.45

Change serial in db.local and reload

Forwarder

Il peut-être nécessaire de modifier allow-query

/etc/bind/named.conf.options
        forwarders {
                80.67.169.12;
                80.67.169.40;
        };
        allow-query { any; };

Récursion

Voir http://www.coursnet.com/2014/12/les-requetes-dns-recursives-iteratives.html

/etc/named.conf
options {
 
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;
 
        /*
        ...
        */
 
};

Désactiver IPV6

Si l'on n'utilise pas l’IPv6, on peut désactiver le protocole en éditant /etc/sysconfig/named 

OPTIONS="-4"

Il faudra également ajouter une option à /etc/named.conf.

/etc/named.conf
options {
  directory "/var/named";
  filter-aaaa-on-v4 yes;
};

source : https://blog.microlinux.fr/bind-centos-7/

Install DNS Server Bind9

Notes

DNS use port TCP:53 and UDP:53

Install

apt-get install bind9 bind9utils dnsutils
/etc/bind/named.conf.local
zone "local" {
        type master;
        file "/etc/bind/db.local";
        allow-transfer { 10.8.16.47; };
        notify yes;
};
/etc/bind/db.local
$TTL    604800                                                                                                                                        
@               IN SOA dns.local. root.dns.local. (                                                                                                       
                                2015121606 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
 
@               IN      NS      dns.local.
@               IN      NS      ns1.local.
@               IN      A       10.8.15.215
dns             IN      A       10.8.15.215
ns1             IN      A       10.8.16.47
 
bastion         IN      A       10.8.16.190
proxy           IN      CNAME   bastion
ldap            IN      A       10.8.16.201

If server must forward

/etc/bind/named.conf.options
        forwarders {
                10.8.15.1;
        };
        allow-query { any; };
/etc/bind/.gitignore
*.key
*.keys
db.0
db.127
db.255
db.empty
db.local
db.root

Reload

rndc reload

Check

named-checkconf
named-checkzone local /etc/bind/db.local
 
#service bind9 reload
rndc reload local
 
service bind9 status
 
dig +short @127.0.0.1 bastion.local

Configure GNU/Linux client

Infra VM

/etc/resolv.conf
#domain local
search local
#options rotate timeout:1 retries:1
#options edns0
nameserver 10.8.15.215

VPN clients

/etc/resolv.conf
#domain local
search local
#options rotate timeout:1 retries:1
nameserver 10.9.0.1

Prevent DHCP to change /etc/resolv.conf 

chattr +i /etc/resolv.conf
 
lsattr /etc/resolv.conf

FIXME : A tester avec SystemD (/etc/systemd/resolved.conf)

On openvpn-it1 (DNS Slave)

/etc/bind/named.conf.local
zone "local" {
  type slave;
  masters { 10.8.15.215; };
  allow-notify { 10.8.15.215; };
  file "/var/lib/bind/db.local";
  allow-transfer { 10.9.0.21; } ;
};

Autres

for fqdn in $(rgrep 192.168.10.22 /etc/bind/zones |sed -e 's%^/etc/bind/zones/%%' -e 's%.db%%' |awk '{print $1}' |awk -F':' '{print $2 "." $1 }'  |sed -e 's%^@.%%' |sort -n) ; do host $fqdn ; done |grep 'has address 192.168.10.22' |awk '{print $1}'

Get TTL 

dig +ttlunits +noall +answer @127.0.0.1 example.org
tech/notes_dns_bind9.1742825205.txt.gz · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki