DNS Service on Linux. Supawit Wannapila CCNA, RHCE

Transcription

1 DNS Service on Linux Supawit Wannapila CCNA, RHCE

2 Host Name Resolution Common Host Name Service Files (/etc/hosts and /etc/networks) DNS (/etc/resolv.conf) Multiple client-side resolvers: nslookup dig 2

3 The Stub Resolver Read /etc/nsswitch.conf to determine the order in which to query name services, as shown here for the default configuration hosts: files dns 3

4 DNS-Specific Resolver dig Never reads /etc/nsswitch.conf By default, looks only at the nameserver line in /etc/resolv.conf Output is in RFC-standard zone file format, the format used by DNS servers, which makes dig particularly useful for exploring DNS resolution 4

5 Trace a DNS Query with dig dig +trace cmu.ac.th Reads /etc/resolv.conf to determine nameserver Queries for root name servers Chases referals to find name records(answer) This is known as an iterative query Initial Observations: Name are organized in an inverted tree with root (.) at top The name hierarchy allows DNS to cross organizational boundaries Name in records end with a dot when fully-qualified 5

6 Other Observation Answer in the previous trace are in the form of resource records Each resource record has five fields: domain the domain or subdomain being queried ttl how long the record should be cache in second class record classification (usually IN) type record type, such as A or NS rdata resource data to which the domain maps 6

7 ; <<>> DiG P1-RedHat P1.el5 <<>> +trace cmu.ac.th ;; global options: printcmd IN NS d.root-servers.net IN NS e.root-servers.net IN NS f.root-servers.net IN NS g.root-servers.net IN NS h.root-servers.net IN NS i.root-servers.net IN NS j.root-servers.net IN NS k.root-servers.net IN NS l.root-servers.net IN NS m.root-servers.net IN NS a.root-servers.net IN NS b.root-servers.net IN NS c.root-servers.net. ;; Received 449 bytes from #53( ) in 47 ms th IN NS dns1.thnic.co.th. th IN NS ns-th.ripe.net. th IN NS ns.thnic.net. th IN NS ams.sns-pb.isc.org. th IN NS ns-a.thnic.co.th. th IN NS sfba.sns-pb.isc.org. ;; Received 328 bytes from #53(d.root-servers.net) in 104 ms cmu.ac.th IN NS teal.cat.net.th. cmu.ac.th IN NS ns.cmu.ac.th. ;; Received 87 bytes from #53(dns1.thnic.co.th) in 20 ms cmu.ac.th IN SOA ns.cmu.ac.th. postmaster.ns.cmu.ac.th ;; Received 77 bytes from #53(teal.cat.net.th) in 7 ms 7

8 Other Observation(cont) Conceptually, one queries against the domain(name), which is mapped to the rdata for an answer In the trace example, The NS(name server) records are referrals The A(address) record in the final answer and is the default query type for dig 8

9 Summary of common record type domain Class Record Type rdata canonical name IN A IPv4 canonical name IN AAAA IPv6 alias IN CNAME canonical name origin IN MX canonical name for mail exchanger origin IN NS canonical name for nameserver reserved IP address IN PTR canonical name origin IN SOA authoritative info origin refers to the name of a domain or subdomain as it is managed by a particular server canonical means the usual or real name of the host 9

10 Forward Lookups dig ; <<>> DiG P1-RedHat P1.el5 <<>> ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN A ;; Query time: 7 msec ;; SERVER: #53( ) ;; WHEN: Wed Sep 8 12:23: ;; MSG SIZE rcvd: 47 10

11 Reverse Lookups dig -x ; <<>> DiG P1 <<>> -x ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ; in-addr.arpa. IN PTR ;; ANSWER SECTION: in-addr.arpa. 600 IN PTR host redhat.com. ;; AUTHORITY SECTION: in-addr.arpa. 600 IN in-addr.arpa. 600 IN in-addr.arpa. 600 IN NS ns1.redhat.com. NS ns2.redhat.com. NS ns3.redhat.com. ;; Query time: 530 msec ;; SERVER: #53( ) ;; WHEN: Sun Sep 12 17:55: ;; MSG SIZE rcvd:

12 Mail Exchanger Lookups dig -t mx cmu.ac.th ; <<>> DiG P1-RedHat P1.el5 <<>> -t mx cmu.ac.th ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;cmu.ac.th. IN MX ;; ANSWER SECTION: cmu.ac.th IN MX 20 mx.cmu.ac.th. ;; ADDITIONAL SECTION: mx.cmu.ac.th IN A ;; Query time: 12 msec ;; SERVER: #53( ) ;; WHEN: Wed Sep 8 12:31: ;; MSG SIZE rcvd: 62 12

13 SOA Lookups dig -t soa cmu.ac.th ; <<>> DiG P1-RedHat P1.el5 <<>> -t soa cmu.ac.th ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;cmu.ac.th. IN SOA ;; ANSWER SECTION: cmu.ac.th IN SOA ns.cmu.ac.th. postmaster.ns.cmu.ac.th ;; ADDITIONAL SECTION: ns.cmu.ac.th IN A ;; Query time: 9 msec ;; SERVER: #53( ) ;; WHEN: Wed Sep 8 12:32: ;; MSG SIZE rcvd: 93 13

14 SOA rdata Master nameserver's FQDN Contact Serial number Refresh delay before checking serial number Retry interval for slave servers Expiration for records when the slave cannot contact its master(s) Minimum TTL for negative answers ( no such host ) 14

15 SOA rdata (cont) serial number in common practice based on ISO dates all time are in seconds by default. However, may be used: W=weeks D=days H=Hours M=Minutes Must use capital letters, no space between the number and the unit is allowed 15

16 Being Authoritative The SOA record merely indicates the master server for the origin(domain) A server is authoritative if it has: Delegation from the parent domain: NS record plus A record A local copy of the domain data, including the SOA record 16

17 The Everything Lookups dig -t axfr Observations All records for the zone are transferred Records reveal much inside knowledge of the network Response is too big for UDP, so transfers use TCP Most servers restrict zone transfers to a select few hosts(usually the slave nameservers) Use this command from a slave to test permissions on the master 17

18 Service Profile: DNS Packages: bind, bind-utils, bind-chroot Daemons: /usr/sbin/named Script: /etc/init.d/named Ports: 53 (udp & tcp) Configuration: (Under /var/named/chroot/) /etc/named.conf, /var/named/* Related: caching-nameserver 18

19 Getting Started with BIND Install packages bind for core binaries bind-chroot for security caching-nameserver for an initial configuration Configure startup service named configtest service named start chkconfig named on Proceed with essential named configuration 19

20 Essential named Configuration Configure the stub resolver Define access control in /etc/named.conf Declare client match lists Server interfaces: listen-on and listen-on-v6 What queries should be allowed? Iterative: allow-query { match-list; }; Recursive: allow-recursion { match-list; }; Transfers: allow-transfer { match-list; }; Add data via zone files Test! 20

21 Configure the Stub Resolver On the nameserver: Edit /etc/resolv.conf to specify nameserver Edit /etc/sysconfig/network-scripts/ifcfg-* to specify PEERDNS=no Advantages: Ensure consistent lookups for all applications Simplifies access controls and troubleshooting 21

22 bind-chroot Package Install a chroot environment under /var/named/chroot Move existing config files into the chroot environment, replacing the original files with symlinks Updates /etc/sysconfig/named with a named option: ROOTDIR=/var/named/chroot Tips Insprct /etc/sysconfig/named after installing bindchroot Run ps -ef grep named after starting named to verify startup options 22

23 caching-nameserver Package Provides Tips named.caching-nameserver.conf named.ca containing root server 'hints' Forward and reverse lookup zone files for machinelocal name and IP addresses(e.g., localhost.localdomain) copy named.caching-nameserver.conf to named.conf change ownership to root:named Edit named.conf 23

24 Address Match List A semicolon-seperated list of IP address or subnets used with security directives for host-based access control Format IP address: Trailing dot: CIDR: /24 Use a bang (!) to denote inversion A match list is checked in order, stopping on first match Example: { ; ;! /24; }; 24

25 Access Control List(ACL) In its simplest form, an ACL assigns a name to an address match list Can generally be used in place of a match list (nesting is allowed!) Best practice is to define ACL's at the top of /etc/named.conf Example declarations acl trusted { ; }; acl classroom { /24; trusted; }; acl cracker { /24; }; acl mymasters { ; }; acl myaddress { ; ; }; 25

26 Built-In ACL's BIND pre-defines four ACL's none any localhost localnets - No IP address matches - All IP address matches - Any IP address of the name server matches - Directly-connected networks matches 26

27 Server Interfaces Option: listen-on port 53 { match-list; }; Binds named to specific interfaces Example listen-on port 53 { myaddress; }; listen-on-v6 port 53 { ::1; }; Restart an verify: netstat -tulpn grep named Default: if listen-on is missing, named listens on all interfaces 27

28 Allowing Queries Option: allow-query { match-list; }; Server provide both authoritative and cached answers to clients in match-list Example: allow-query { classroom; cracker; }; Default: if allow-query is missing, named allows all 28

29 Allowing Recursion Option: allow-recursion { match-list; }; Server chases referrals on behalf of clients in the match-list Example: allow-recursion { classroom;!cracker; }; Default: if allow-recursion is missing, named allows all 29

30 Allowing Transfer Option: allow-transfer { match-list; }; Client in the match-list are allowed to act as slave servers Example: allow-transfer {!cracker; classroom; }; Default: if allow-transfer is missing, named allows all 30

31 Modifying BIND Behavior Option: forwarders { match-list; }; Modifier: forward first only; Direct named to recursively query specified servers before or instead of chasing referrals Example: forwarders { mymaster; }; forward only; If the forward modifier is missing, named assumes first 31

32 Access Controls: Putting it Together Sample /etc/named.conf with essential access control options: // acl's make security directive easier to read acl ''myaddress'' { ; ; }; acl ''trusted'' { ; }; acl ''classroom'' { /24; trusted; }; acl ''cracker'' { /24; }; options { #bind to specific interfaces listen-on port 53 { myaddress; }; listen-on-v6 port 53 { ::1; }; # make sure I can always query myself for troubleshooting allow-query { localhost; classroom;!cracker; }; allow-recursion { localhost; classroom;!cracker; }; /* don't let cracker (even trusted) do zone transfers */ allow-transfer { localhost; clasroom;!cracker; }; }; # use a recursive, upstream nameserver forwarders { ; }; forward only; 32

33 Slave Zone Declaration zone ''example.com'' IN { }; type slave; masters { mymasters; }; file ''slaves/example.com.zone'' Sample zone declaration directs the server to: Act as an authoritative nameserver for example.com, where example.com is the origin as specified in the SOA record's domain field Be a slave for this zone Perform zone transfer (AXFR and IXFR) against the hosts in the masters option Store the transferred data in /var/named/chroot/var/named/slaves/example.com.zone Reload named to automatically create the file 33

34 Master Zone Declaration zone ''example.com'' IN { }; type master; file ''example.com.zone''; Sample zone declaration directs the server to: Act as an authoritative nameserver for example.com, where example.com is the origin as specified in rg SOA record's domain field Be a master of this zone Read the master data from /var/named/chroot/var/named/example.com.zone Manually create the master file before reloading named 34

35 Zone File Creation Content of a zone file: A collection of record, beginning with the SOA record symbol is a variable representing the zone's origin as specified in the zone declaration from /etc/named.conf Comments are assembly-style (;) Precautions: BIND append the domain's origin to any name that is not properly dot-terminated If the domain field is missing from a record, BIND uses the value from the previous record Remember to increment the serial number and reload named after modifying a zone file 35

36 Tips for Zone Files Shortcuts: Do not start from scratch copy an exiting zone file installed by the caching-nameserver package To save typing, put $TTL as the first line of a zone file, then omit the TTL from individual records BIND allows you to split multi-valued rdata across lines when enclosed within parentheses () Choose a filename for your zone file that reflects the origin in some way 36

37 Example of multi-line IN SOA server1.example.com. root ( 46 ; serial 3H ; refresh 15M ; retry 1W ; expire authority 1D) ; minimum for negative answers 37

38 Testing Operation Select one of dig or nslookup, and use it expertly to verify the operation of your DNS server Run tail -f /var/log/messages in a separate shell when restarting services Configuration BIND will fail to start for syntax error, so always run service named configtest after editing config file configtest runs two syntax utilities against files specified in your configuration, but the syntax utilities may be run separately against files outside your configuration 38

39 BIND Syntax utilities named-checkconf -t ROOTDIR /path/to/named.conf Inspects /etc/named.conf by default (which will be the wrong file if the -t options is missing) Example: named-checkconf -t /var/named/chroot named-checkzone origin /path/to/zonefile Inspects a specific zone configuration Example: named-checkzone cmu.ac.th /var/named/chroot/var/named/cmu.ac.th.zone 39

40 Delegating Subdomains Steps On the child, create a zone file to hold the subdomain's data On the parent, add an NS record On the parent, add an A record to complete the delegation Glue Records If the child's canonical name is in the subdomain it manages, the A record is called a glue record 40

41 View and Split DNS Answering queries differently based on who is asking match-clients and match-destinations Option and zones defined within a view Any view statement means that all zone definitions must be inside a view Any view statement means that all zone definitions must be inside a view 41

42 View Example view ''internal'' { match-clients { /24; }; recursion yes; zone ''example.com'' { type master; file "example-internal.zone"; }; }; view ''external'' { match-clients { any; }; recursion no; zone ''example.com'' { type master; file "example-external.zone"; }; }; 42

43 Demo 1:Implement a Minimal DNS Server Install package bind bind-utils bind-chroot caching-nameserver yum install bind bind-utils bind-chroot cahcing-nameserver 43

44 Demo 1:Implement a Minimal DNS Server Verify chroot grep ROOTDIR /etc/sysconfig/named ROOTDIR=/var/named/chroot Copy a convenient starting configuration Test cd /var/named/chroot/etc cp named.caching-nameserver.conf named.conf chgrp named named.conf service named configtest Start named at boot time chkconfig named on 44

45 Demo 1:Implement a Minimal DNS Server Modify iptables insert this following line after ESTABLISHED, RELATED line in /etc/sysconfig/iptables -A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT Reload iptables service iptables restart 45

46 Demo 1:Implement a Minimal DNS Server Edit named.conf to modify and/or add the following app-specific controls in the global options section listen-on port 53 { localhost; }; allow-query { localhost; /24; }; allow-query-cache { localhost; /24; }; allow-transfer { localhost; ; }; forwarders { ; }; forward first; Edit named.conf again, modify the default view's match-clients match-clients { localhost; /24; }; 46

47 Demo 1:Implement a Minimal DNS Server Test configuration and reload named service named configtest service named restart Change DND name solver point to localhost, edit file /etc/resolv.conf search example.com nameserver Test resolve dig dig 47

48 Demo2: Add Data to the Name Server Declare a forward lookup zone: Edit named.conf put the following line above include statement in view section zone ''example.com'' IN { }; type master; file ''example.com.zone''; allow-update { none; }; forwarders { }; Test but have a error ''file not found'' service named configtest 48

49 Demo2: Add Data to the Name Server Create a zone file: Copy an exiting zone file with original permission cd /var/named/chroot/var/named cp -a localdomain.zone example.com.zone Edit SOA IN SOA ns root ( IN SOA ns.example.com. noc.example.com. ( Increment the serial number 49

50 Demo2: Add Data to the Name Server Edit NS IN NS ns Add some IN MX 10 mx ns IN A server IN A mx IN CNAME server station IN A station1 IN A

51 Demo2: Add Data to the Name Server Test configuration and reload service named configtest service named restart Test resolve on localhost and other dig -t axfr example.com ping station1 ping server ping mx 51

52 Demo2: Add Data to the Name Server Declare a inverse lookup zone: Edit named.conf put the following line above include statement in view section zone '' in-addr.arpa'' IN { type master; file '' zone''; allow-update { none; }; forwarders { }; }; Test but have a error ''file not found'' service named configtest 52

53 Demo2: Add Data to the Name Server Create a zone file: Copy an exiting zone file with original permission cd /var/named/chroot/var/named cp -a named.local zone Edit SOA IN SOA ns.example.com. root.example.com. ( Increment the serial number 53

54 Demo2: Add Data to the Name Server Edit NS IN NS ns.example.com. Add some record 101 IN PTR ns.example.com. 102 IN PTR server.example.com. 103 IN PTR station.example.com. 54

55 Demo2: Add Data to the Name Server Test configuration and reload service named configtest service named restart Test resolve on localhost and other dig -x dig -x dig -x dig -t axfr in-addr.arpa 55

56 Demo3: Add slave DNS Repeat step on Demo1 to implement a minimal DNS on the slave server Declare a slave zone: Edit named.conf put the following line above include statement in view section zone ''example.com'' IN { type slave; masters { ; }; file ''slaves/example.com.zone''; forwarders { }; }; Test and reload named service named configtest service named restart 56

57 Demo3: Add slave DNS Inspect file what transferred ls -l /var/named/chroot/var/named/slaves/ Test local resolver dig -t axfr example.com dig station.example.com 57

58 Thank you and have a great day 58