Linux/BIND

From Omnia
Jump to navigation Jump to search

Summary

Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.

Description:

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Quick Installation

Install bind, bind tools, and config files:

yum install bind bind-utils caching-nameserver

Start with sample configuration files:

cp /usr/share/doc/bind-9*/sample/etc/* /etc/
cp /usr/share/doc/bind-9*/sample/var/named/* /var/named/

Add the following line under the "options" section of /etc/named.conf:

listen-on { 127.0.0.1; 10.1.100.1; };

Comment out example zones in "view "internal"" section

#       zone "my.internal.zone" {
#               type master;
# ...

Comment out the "key ddns_key" and "view "external"" sections:

#key ddns_key
#{
#       algorithm hmac-md5;
#       secret "use /usr/sbin/dns-keygen to generate TSIG keys";
#};
#view    "external"
# ...

Configure /etc/resolv.conf:

search test.lab
nameserver 127.0.0.1

Have bind auto start on boot:

chkconfig named on

Start bind:

service named restart

Test bind:

dig www.google.com

Installation

BIND 9 Configuration Reference

"The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind." [1]

$ yum info bind
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.
Description:
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
$ yum info caching-nameserver
Summary: Default BIND configuration files for a caching nameserver
Description:
The  caching-nameserver package includes the configuration files which will make
the ISC BIND named DNS name server act as a simple caching nameserver.
A caching nameserver is a DNS Resolver, as defined in RFC 1035, section 7.
ISC BIND named(8) provides a very efficient, flexible and robust resolver as
well as a server of authoritative DNS data - many users use this package
along with BIND to implement their primary system DNS resolver service.
If you would like to set up a caching name server, you'll need to install
bind, bind-libs, and bind-utils along with this package.

Installation:

yum install bind caching-nameserver
chkconfig named on

The package caching-nameserver is needed for several files found in /var/named.

Optional xserver bind configuration tool:

yum install system-config-bind

The following files need to be configured:

  • /etc/named.conf
  • /etc/resolv.conf
  • /etc/sysconfig/named (optional)
  • /var/named/example.com.zone
  • /var/named/192.168.5.zone

A sample named.conf file can be found here:

/usr/share/doc/bind-9.3.4/sample/etc/named.conf

cp /usr/share/doc/bind-9.3.3/sample/etc/named.conf /etc/named.conf
cp /usr/share/doc/bind-9.3.3/sample/etc/named.root.hints /etc/named.root.hints
# overwrite... 
cp /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones /etc/named.rfc1912.zones
# optional..
cp /usr/share/doc/bind-9.3.3/sample/etc/rndc.conf /etc/rndc.key
chown root:named /etc/named*
# var stuff
cat /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/named.root
chown root:named /var/named/named.root


See Default named.conf

The file /etc/named.caching-nameserver.conf has only local resolver lines. There are a few differences in the "options" section that the sample named.conf does not include, which appear to be restrictive in nature. The can be incorporated into the named.conf if needs be.

The file /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones is missing the following that /etc/named.rfc1912.zones has (but named.root.hints has it):

zone "." IN {
        type hint;
        file "named.ca";
};

/etc/resolv.conf:

search t0e.org
nameserver 127.0.0.1

To regenerate the rndc key:

[root@hal ~]# cat /etc/rndc.key
key "rndckey" {
        algorithm       hmac-md5;
        secret          "wp8YV4CpRykpGe7G8g465Bk0QvVIH8ksd26nst79EZfl8ZaarKD5B0Y4C4zO";
};
[root@hal ~]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@hal ~]# cat /etc/rndc.key
key "rndckey" {
        algorithm hmac-md5;
        secret "jyUnvqHOZWGfZnm46KvfoA==";
};

The changes to make to the sample conf file are as follows:

options
{
  ...
  listen-on { 127.0.0.1; 10.10.10.1; };
};

view "internal"
{
  ...
  
  zone "t0e.org" IN {
    type master;
    file "t0e.org.zone";
    allow-update { key "rndckey"; };
    notify yes;
  };
  zone "10.10.10.in-addr.arpa" {
    type master;
    file "t0e.org.rev";
    allow-update { key "rndckey"; };
    notify yes;
  };

  /* comment out all default zones
  zone "my.internal.zone" {
  ...
  zone "my.slave.internal.zone" {
  ...
    // DISABLE COMMENTS
    masters { / * put master nameserver IPs here * / 127.0.0.1; } ;
  ...
  zone "my.ddns.internal.zone" {
  }
  */
};

/* comment out "ddns_key" section, and do include
key ddns_key
{
...
};
*/
include "/etc/rndc.key";

/* comment out "external" section
view    "external"
{
// DISABLE COMMENTS
...
};
*/


The OLD /etc/named.conf I use:

options {
  directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  listen-on { 127.0.0.1; 10.10.10.3; 10.10.20.3; };
};

controls {
  inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/rndc.key";

zone "t0e.org" IN {
  type master;
  file "t0e.org.zone";
  allow-update { key "rndckey"; };
  notify yes;
};

zone "10.10.10.in-addr.arpa" {
  type master;
  file "t0e.org.rev";
  allow-update { key "rndckey"; };
  notify yes;
};

The /var/named/t0e.org.zone I use:

$TTL    300     ; 5 minutes
t0e.org.              IN SOA  hal.t0e.org. hel.t0e.org. (
                                20070714        ; serial number
                                300             ; refresh (5 minutes)
                                3600            ; retry (1 hour)
                                604800          ; expire (1 week)
                                3600            ; minimum TTL (1 hour)
                                )

                        NS      hal.t0e.org.

fw                      A       10.10.10.1
hal                     A       10.10.10.3

The /var/named/t0e.org.rev I use:

$TTL    300     ; 5 minutes
10.10.10.in-addr.arpa.          IN SOA  hal.t0e.org. hal.t0e.org. (
                                20070714        ; serial number
                                300             ; refresh (5 minutes)
                                3600            ; retry (1 hour)
                                604800          ; expire (1 week)
                                3600            ; minimum TTL (1 hour)
                                )

                        NS      hal.t0e.org.

1                       PTR     fw.t0e.org.
3                       PTR     hal.t0e.org.

Records

Zone:

zone "lab" {
        type master;
        file "/etc/bind/db.lab";
        allow-query { lindonlab; };
};
;; Domain 'lab'
@		IN SOA	ns.keylabs.com.	admin.keylabs.com. (
			2011052800      ; serial DONT FORGET CHANGE
			10800           ; Refresh after 3 hours
			3600            ; Retry after 1 hour
			604800          ; Expire after 1 week
			86400 )         ; Minimum TTL of 1 day


;; KeyLabs Name servers
		IN	NS	ns.keylabs.com.
		IN	NS	ns2.keylabs.com.

;; MX Record
		IN	MX 10	ASPMX.L.GOOGLE.COM.

;; TXT Record
		IN 	TXT	v=spf1 include:_spf.google.com ~all

;; Address Record
iso		IN	A	216.119.202.4

;; Quick Subdomain
admin.tr	IN	A	216.119.202.4

;; CNAME
files		IN	CNAME	iso    ;; cname to local domain
portal		IN	CNAME	oeey.com.    ;; notice end '.'

;; PTR
1		IN	PTR	ws1.oeey.com.

Reverse

zone "202.119.216.in-addr.arpa" {
	type master;
	file "/etc/bind/rev.202.119.216";
};
;; Domain 'lab'
@		IN SOA	ns.keylabs.com.	admin.keylabs.com. (
			2011052800      ; serial DONT FORGET CHANGE
			10800           ; Refresh after 3 hours
			3600            ; Retry after 1 hour
			604800          ; Expire after 1 week
			86400 )         ; Minimum TTL of 1 day

;; KeyLabs Name servers
		IN	NS	ns.keylabs.com.
		IN	NS	ns2.keylabs.com.

;; reverse mapping
;; KeyLabs ( 216.119.192.0 - 216.119.192.253 )
1		IN	PTR	ws-192-1.keylabs.com.
2		IN	PTR	ws-192-2.keylabs.com.

Google Applications

MX Server Settings:
<pre>
; name			ttl class rr	pref name
; example.com.		IN  MX    10	mail.example.com.

;;
;; GOOGLE APPS
;;
			IN MX 10	ASPMX.L.GOOGLE.COM.
			IN MX 20	ALT1.ASPMX.L.GOOGLE.COM.
			IN MX 20	ALT2.ASPMX.L.GOOGLE.COM.
			IN MX 30	ASPMX2.GOOGLEMAIL.COM.
			IN MX 30	ASPMX3.GOOGLEMAIL.COM.
			IN MX 30	ASPMX4.GOOGLEMAIL.COM.
			IN MX 30	ASPMX5.GOOGLEMAIL.COM.
			IN TXT		v=spf1 include:_spf.google.com ~all
calendar		CNAME		ghs.google.com.
docs			CNAME		ghs.google.com.
mail			CNAME		ghs.google.com.

Root Hints

//
//   The 'named.root' root cache hints zone for the bind DNS 'named' nameserver.
//
//   named's cache must be primed with the addresses of the root zone '.' nameservers.
//   The root zone file can be obtained by querying the root 'A' nameserver:
//     $ dig . ns @198.41.0.4 > named.root
//   Or by download via FTP / HTTP:
//     $ wget ftp://ftp.rs.internic.net/domain/named.root
//
//   Every view that is to provide recursive service must include this zone.
//
zone "." IN {
        type hint;
        file "named.root";
}

Secondary Name Server

Install bind, bind tools, and config files:

yum install bind bind-utils

Get root hints:

dig . ns @198.41.0.4 > /etc/named.root.hints

/etc/named.conf:

// general options
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        allow-transfer { 216.119.206.253; };
        allow-recursion { 216.119.192.0/20; };
        version "Not disclosed";
};

// reduce log verbosity on issues outside our control
logging {
        category lame-servers { null; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/named.root.hints";
};



//
// Reverse DNS
//

zone "206.119.216.in-addr.arpa" {
        type slave;
        file "slaves/rev.206.119.216.cache";
        masters { 216.119.206.253; };
};



//
// Oeey domains below here
//

zone "oeey.com" {
        type slave;
        file "slaves/db.oeey.cache";
        masters { 216.119.206.253; };
};

DNS Security

Secure dynamic DNS howto


Secure BIND Template v7.1 14 May 2009 TEAM CYMRU noc@cymru.com

Hide Version

Check Version:

dig @[NS_SERVER] -c CH -t txt version.bind
nslookup -q=txt -class=CHAOS version.bind. 0
dig @nameserver version.bind txt chaos
nslookup -type=txt -class=chaos version.bind nameserver
options
{
        ...
        version "not disclosed";
};
version "surely you must be joking";

References:

Log Queries

logging
{
        /* ..... */
        channel query_log {
                //file "data/query.log";
                syslog kern;
                severity debug;
        };
        category queries { query_log; };
};

References:

Firewall

DNS uses UDP port 53 [2]

iptables -A INPUT -p udp -i eth0 --destination-port 53 -j ACCEPT

BUT:

"Remember that queries can be TCP-based as well as UDP-based, so you must allow traffic from queriers to TCP port 53 as well as UDP port 53, and from your name server to TCP port 53." [3]

"By default host uses UDP when making queries. The -T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests." [4]

"Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer. Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server..." http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html]

IPv4 Only

Add "-4" to the bind9 config

/etc/default/bind9:

# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-4 -u bind"

Source: Configure BIND 9 For IPv4 (or IPv6) Only | Ubuntu Tutorials

Dynamic DNS

Dynamic DNS (DDNS)

See also dhcpd#Dynamic DNS

/var/named/chroot/etc/named.conf:

zone "dnsknowledge.com" IN {
  type master;
  file "dnsknowledge.com.zone";
  allow-update { key rndckey; };
};

# reverse zone
zone "1.168.192.in-addr.arpa" IN {
  type master;
  file "1.168.192.in-addr.arpa.zone";
  allow-update { key rndckey; };
};


References:

Issues

DNS Cache Poisoning Bug

Use:

        // query-source    port 53;

how do I find out if my DNS server is open to such attack:

$ dig +short @{name-server-ip} porttest.dns-oarc.net txt
$ dig +short @ns1.example.com porttest.dns-oarc.net txt
$ dig +short @208.67.222.222 porttest.dns-oarc.net txt

Good:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"

Bad:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.139 is POOR: 42 queries in 8.4 seconds from 1 ports with std dev 0.00"

With nslookup:

nslookup -type=txt -timeout=30 porttest.dns-oarc.net
nslookup -type=txt -timeout=30 porttest.dns-oarc.net ns1.your-isp.com
nslookup -type=txt -timeout=30 porttest.dns-oarc.net NS-SERVER-IP

Tools:

Information and Alerts:

References:

How do I share a dynamic zone between multiple views

Frequently Asked Questions about BIND 9:

Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and transfer the zone between views. 

Journal file creation failed

When trying to add a new client record...

Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' A
Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' TXT
Jun 16 10:23:09 hal named[29054]: journal file t0e.org.zone.jnl does not exist, creating it
Jun 16 10:23:09 hal named[29054]: t0e.org.zone.jnl: create: permission denied
Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': error: journal open failed: unexpected error
Jun 16 10:23:09 hal dhcpd: Unable to add forward map from KENDAWG.t0e.org to 10.10.10.229: timed out
#This did not work...
#cd /var/named
#touch t0e.org.zone.jnl
#chown root:named t0e.org.zone.jnl
#service named restart
#This did work...
cd /var/
chown -R named:named named
service named restart

Unexpected RCODE (SERVFAIL)

I get several RCODE error messages in the /var/log/messages log file. These are caused by bad external name servers, not our DNS server.

Updating Zone Info

This article may indicate a way to generate the .jnl files:

nsupdate

Important note: Editing the Zone files while dynamic updates are active... [5]

When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal.

The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates.

When using BIND 9.3 the following can be used, which does not require that named be stopped:

 1. rndc freeze example.com
 2. edit the zone
 3. rndc unfreeze example.com

Remember to increment the serial number in the zone file as you make changes.

Freeze failed not found

[root@fw ~]# rndc freeze
rndc: 'freeze' failed: unexpected end of input

[root@fw ~]# rndc freeze t0e.org
rndc: 'freeze' failed: not found

[root@fw ~]# rndc freeze t0e.org internal
rndc: 'freeze' failed: unknown class/type

This is caused by the "view" configuration.

Unable to freeze zone - Bind DNS - problem with views?

Unable to freeze zone - Bind DNS - problem with views? Reply:

rndc freeze t0e.org in internal

client query (cache) denied

Error:

ns named[13434]: client 65.46.140.82#36817: query (cache) 'txfrwll/AAAA/IN' denied

Cause:

  • This means a recursive request came from the client and was denied. This is good if the client is not an internal system.

Solution:

  • If the client is an internal system that should allow for recursion, add it to the allow-recursion.

For example:

allow-recursion { 10.0.0.0/8; };

client update denied

Error:

ns named[13434]: client 71.195.222.228#54866: update 'keylabs.com/IN' denied

Cause:

  • Some client attempted to update your DNS records. Bastards.

"Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol." [6]

"This is a "feature" of some (newer) windows versions, that try to register their name in the nameserver that they got configured (e.g. via dhcp). I think there is a registry key to disable this behaviour, this should help you to fix the problem." [7]

Solution:

  • If the client is a DHCP server that you want to allow an update DNS transfer through, add it to the allow-transfer:

Example:

allow-transfer { 216.119.202.2; }

lame server resolving

Error:

Sep 16 04:16:37 ns named[13434]: lame server resolving 'networking.itags.org' (in 'itags.org'?): 74.86.171.244#53

Cause:

  • "A lame server is one that's not responding to a name request it is expected to handle. " [8]
  • "lame-servers - Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution." [9]

Solution:

  • If you don't want to be notifed of these, you can turn off the logging of this event: [10]
logging {
  // Do not log zones that aren't registered in this server (lame servers)
  category lame-servers { null; };
 }; 

unexpected RCODE resolving

Error:

Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns3.fs.net/A/IN': 216.165.108.10#53
Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns1.fs.net/A/IN': 216.165.108.10#53
Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'www.scs.stanford.edu/A/IN': 216.165.108.10#53
Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.205#53
Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.66#53

Cause:

  • Problems with external Name Servers

Solution:

  • Nothing you can do. You can hide "lame-servers" which should hide this error.

References:

underscore - bad owner name

Record:

a_b     A  10.1.1.1

Error:

 fio.onpar.net.zone:37: a_b.fio.onpar.net: bad owner name (check-names)
 zone fio.onpar.net/IN: loading master file fio.onpar.net.zone: bad owner name (check-names)
 _default/fio.onpar.net/IN: bad owner name (check-names)

Cause:

  • Bind doesn't like underscores, but you can get around this by using the full domain name:
a_b.fio.onpar.net     A  10.1.1.1

Configuration Defaults

Default named.conf

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
// its manual.
//
options
{
	/* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
	query-source    port 53;	
	query-source-v6 port 53;
	
	// Put files that named is allowed to write in the data/ directory:
	directory "/var/named"; // the default
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";

};
logging 
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };	
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the 
// "default" view, which matches all clients.
// 
// If named.conf contains any "view" clause, then all zones MUST be in a view; 
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
	match-clients 		{ localhost; };
	match-destinations	{ localhost; };
	recursion yes;
	# all views must contain the root hints zone:
	include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
	 * ONLY be served to localhost clients:
	 */
	include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
	match-clients		{ localnets; };
	match-destinations	{ localnets; };
	recursion yes;
	// all views must contain the root hints zone:
	include "/etc/named.root.hints";

        // include "named.rfc1912.zones";
	// you should not serve your rfc1912 names to non-localhost clients.
 
	// These are your "authoritative" internal zones, and would probably
	// also be included in the "localhost_resolver" view above :

	zone "my.internal.zone" { 
		type master;
		file "my.internal.zone.db";
	};
	zone "my.slave.internal.zone" {
		type slave;
		file "slaves/my.slave.internal.zone.db";
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
		// put slave zones in the slaves/ directory so named can update them
	};	
	zone "my.ddns.internal.zone" {
		type master;
		allow-update { key ddns_key; };
		file "slaves/my.ddns.internal.zone.db";
		// put dynamically updateable zones in the slaves/ directory so named can update them
	};			
};
key ddns_key
{
	algorithm hmac-md5;
	secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
	match-clients		{ !localnets; !localhost; };
	match-destinations	{ !localnets; !localhost; };

	recursion no;
	// you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers

	// all views must contain the root hints zone:
	include "/etc/named.root.hints";

	// These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:

	zone "my.external.zone" { 
		type master;
		file "my.external.zone.db";
	};
};

keywords