Enabling DNS for IPv6 CSD Fall 2011

Transcription

1 Enabling DNS for IPv6 CSD Fall 2011 Team members: Bowei Dai 15 credits Elis Kullberg 18 credits Hannes Junnila 15 credits Nur Mohammad Rashed 15 credits Siddharth Madan 15 credits Vasily Prokopov 18 credits 2- Dec- 11

2 TABLE OF CONTENTS: 1 VERSION HISTORY INTRODUCTION 4 Purpose of the document. 4 Scope of the document.. 4 Audience of the document REGULAR ZONE IPv6 CONFIGURATION 5 4 REVERSE ZONE IPv6 CONFIGURATION. 6 5 TROUBLESHOOTING REFERENCES.. 8 APPENDIX A 9 APPENDIX B. 11 APPENDIX C. 12 2

3 1 VERSION HISTORY Version number Release date Changes Author(s) 1.1 December 2, 2011 Troubleshooting section added Vasily Prokopov 1.0 November 29, 2011 Document created Vasily Prokopov 3

4 2 INTRODUCTION Purpose of the document The purpose of the document is to describe the configuration of Domain Name System (DNS) server in CareNet in a specific part related to IPv6. Scope of the document The document deals with the CareNet network infrastructure, namely with the DNS server. Audience of the document Project owner, coaches and CareNet teams members form potential audience of the docu- ment. 4

5 3 REGULAR ZONE IPv6 CONFIGURATION The goal was to enable the DNS server of CareNet to answer IPv6 queries and provide IPv6 ad- dresses in response to those queries. For that purpose configuration of existing external care- net- se.se domain zone [1] was modified by adding IPv6 entries for each domain member. Below you will find an example for the Log server: sudo nano /etc/bind/zones/external/carenet-se.se.db log IN A log IN AAAA 2001:6b0:32::94 Every other member of the domain was configured in the same manner. Full configuration is listed in Appendix A. Entries of the external carenet- se.se domain zone are synchronized with DNS servers of SSVL. To check if DNS is providing IPv6 information for CareNet following command could be used: n141-p63:~ vprokopov$ dig AAAA sip.carenet-se.se ; <<>> DiG P3 <<>> AAAA sip.carenet-se.se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sip.carenet-se.se. IN AAAA ;; ANSWER SECTION: sip.carenet-se.se. 600 IN AAAA 2001:6b0:32::69 ;; Query time: 99 msec ;; SERVER: #53( ) ;; WHEN: Tue Nov 29 11:54: ;; MSG SIZE rcvd: 63 5

6 4 REVERSE ZONE IPv6 CONFIGURATION Although regular domain zone IPv6 configuration was quite straightforward, reverse domain zone configuration is far more tricky. It starts with creating a zone file with a specific name. In our case since CareNet owns the 2001:6b0:32::/49 network the name is b ip6.arpa. Then reverse PTR entries were specified for every IPv6 enabled domain member. An example for Log server which has an address of 2001:6b0:32::94 could be found below: vprokopov@domain:/$ sudo nano /etc/bind/zones/ b ip6.arpa $ORIGIN b ip6.arpa IN PTR log.carenet-se.se. $ORIGIN is a standard directive described in RFC Full listing of the b ip6.arpa file could be found in Appendix B. After reverse domain zone file was created it should be referenced in the /etc/bind/named.conf.local file (Appendix C): vprokopov@domain:/$ sudo nano /etc/bind/named.conf.local zone " b ip6.arpa" { file "/etc/bind/zones/ b ip6.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { ; ; ; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { ; ; ; allow-query { any; In order to test the reverse DNS for IPv6 the following command might be used: macbook-pro:$ dig -x ; <<>> DiG P3 <<>> -x ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ; b ip6.arpa. IN PTR ;; ANSWER SECTION: b ip6.arpa. 600 IN PTR gwupdate.carenet-se.se. ;; AUTHORITY SECTION: b ip6.arpa. 600 IN NS b ip6.arpa. 600 IN NS b ip6.arpa. 600 IN NS ns.ssvl.kth.se. ns2.ssvl.kth.se. ns.carenet-se.se. ;; ADDITIONAL SECTION: ns.carenet-se.se. 600 IN A ns.carenet-se.se. 600 IN AAAA 2001:6b0:32::66 ;; Query time: 76 msec ;; SERVER: #53( ) ;; WHEN: Tue Nov 29 14:04:

7 5 TROUBLESHOOTING If DNS server is not responding to queries coming on its IPv6 interface: Make sure that BIND is listening on the IPv6 interface (UDP, port 53). You can check that by running following command: etc/bind$ netstat anu Proto Recv-Q Send-Q Local Address Foreign Address State udp6 0 0 ff02::1:2:547 :::* udp6 0 0 :::53 :::* If no, then check if BIND is actually configured to listen on IPv6. You should have similar entry in your /etc/bind/named.conf.options file: vprokopov@domain:/$ sudo nano /etc/bind/named.conf.options listen-on-v6 { any; It is also useful to check the log: vprokopov@domain:/$ sudo tail -100 /var/log/syslog grep named Dec 2 14:02:14 domain named[11033]: listening on IPv6 interfaces, port 53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface lo, #53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface br0, #53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface br0:0, #53 Another reason why BIND could fail to use IPv6 interface is that it is invoked with - 4 option. You can check it in the /etc/default/bind9 file. It should look like the example below. If - 4 option was specified there, then remove it. vprokopov@domain:/$ sudo cat /etc/default/bind9 # run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-u bind -t /var/lib/named" Sometimes, even if the DNS server is listening on IPv6- enabled interface, the IPv6- enabled client could be rejected: vprokopov@domain:/$ sudo cat /var/log/syslog grep denied Dec 2 13:41:08 domain named[10690]: client 2001:6b0:32::70#44326: view _meta: query (cache) 'domain.carenet-se.se/a/in' denied This could happen because the client is being rejected by the ACL configured in the /etc/bind/named.conf.options file. Make sure that zone that you have defined permits IPv6 hosts in its allow- query clause. If you use ACL all or similar to match all possible clients (like we do in CareNet) then make sure you have specified IPv6 entry there: acl all { 0/0; ::/0; 7

8 6 REFERENCES [1] CareNet Fall 2011 Team, "Incident report: DNS misconfiguration". [Online]. Available: se.se/docs/carenet- Fall2011- %5BNOC- 06%5D- Incedent_report- DNS_misconfiguration_ver1-0.pdf. 8

9 APPENDIX A /etc/bind/zones/external/carenet- se.se.db $TTL 600 carenet-se.se. IN SOA ns.carenet-se.se. domain.carenet-se.se. ( ) carenet-se.se. IN NS ns.carenet-se.se. carenet-se.se. IN NS ns.ssvl.kth.se. carenet-se.se. IN NS ns2.ssvl.kth.se. carenet-se.se. IN A carenet-se.se. IN AAAA 2001:6b0:32::66 ;; Routers and interfaces hemma.hecc.se IN A umsdb IN CNAME hemma.hecc.se vav-kislink IN A kis-vavlink IN A vav-hudlink IN A hud-vavlink IN A kis-lanlink IN A vav-kislink IN AAAA 2001:6b0:32:1::1 kis-vavlink IN AAAA 2001:6b0:32:1::2 vav-hudlink IN AAAA 2001:6b0:32:3::1 hud-vavlink IN AAAA 2001:6b0:32:3::2 kis-lanlink IN AAAA 2001:6b0:32::1 ;; Routers' loopacks vr IN A kr IN A hr IN A vr IN AAAA 2001:6b0:32:10::1 kr IN AAAA 2001:6b0:32:10::2 hr IN AAAA 2001:6b0:32:10::3 ;; CareNet-SE servers ns IN A log IN A sip IN A management IN A vmhost1 IN A vmhost2 IN A ums IN A vpn IN A mrs IN A portal IN A gwupdate IN A domain IN CNAME ns mcu IN CNAME sip syslog IN CNAME management server01 IN CNAME vmhost1 server02 IN CNAME vmhost2 ns IN AAAA 2001:6b0:32::66 log IN AAAA 2001:6b0:32::94 sip IN AAAA 2001:6b0:32::69 management IN AAAA 2001:6b0:32::7 9

10 vmhost1 IN AAAA 2001:6b0:32::72 vmhost2 IN AAAA 2001:6b0:32::71 mrs IN AAAA 2001:6b0:32::112 portal IN AAAA 2001:6b0:32::91 gwupdate IN AAAA 2001:6b0:32::85 ;; SIP service records carenet-se.se. IN NAPTR 2 0 "s" "SIP+D2U" "" _sip._udp.carenet-se.se. carenet-se.se. IN NAPTR 2 0 "s" "SIP+D2T" "" _sip._tcp.carenet-se.se. _sip._tcp.carenet-se.se. IN SRV sip.carenet-se.se. _sip._udp.carenet-se.se. IN SRV sip.carenet-se.se. ;; SSVL servers www IN A mail IN CNAME mail.ssvl.kth.se. 10

11 APPENDIX B /etc/bind/zones/ b ip6.arpa $TTL 600 $ORIGIN IN SOA ns.carenet-se.se. admin.carenet-se.se. ( ; 28800; ; ; IN NS IN NS IN NS ns2.ssvl.kth.se IN PTR ns.carenet-se.se. $ORIGIN b ip6.arpa IN PTR sip.carenet-se.se IN PTR log.carenet-se.se IN PTR management.carenet-se.se IN PTR vmhost1.carenet-se.se IN PTR vmhost2.carenet-se.se IN PTR ums.carenet-se.se IN PTR vpn.carenet-se.se IN PTR mrs.carenet-se.se IN PTR portal.carenet-se.se IN PTR gwupdate.carenet-se.se IN PTR kis-lanlink.carenet-se.se. $ORIGIN b ip6.arpa IN PTR vav-kislink.carenet-se.se IN PTR kis-vavlink.carenet-se.se. $ORIGIN b ip6.arpa IN PTR vav-hudlink.carenet-se.se IN PTR hud-vavlink.carenet-se.se. $ORIGIN b ip6.arpa IN PTR vr.carenet-se.se IN PTR kr.carenet-se.se IN PTR hr.carenet-se.se. 11

12 APPENDIX C /etc/bind/named.conf.local view "internal" { match-clients { vpn; include "/etc/bind/zones.rfc1918"; zone "carenet-se.se" { file "/etc/bind/zones/internal/carenet-se.se.db"; allow-query { vpn; zone " in-addr.arpa" { file "/etc/bind/zones/rev in-addr.arpa"; allow-query { kistanetwork; zone "localhost" { file "/etc/bind/db.local"; zone "127.in-addr.arpa" { file "/etc/bind/db.127"; zone "0.in-addr.arpa" { file "/etc/bind/db.0"; zone "255.in-addr.arpa" { file "/etc/bind/db.255"; view "external" { match-clients {!vpn; all; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; zone "carenet-se.se" { file "/etc/bind/zones/external/carenet-se.se.db"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { ; ; ; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { ; ; ; allow-query { any; zone " in-addr.arpa" { file "/etc/bind/zones/rev in-addr.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { ; ; ; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { ; ; ; allow-query { any; 12

13 zone " b ip6.arpa" { file "/etc/bind/zones/ b ip6.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { ; ; ; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { ; ; ; allow-query { any; 13