http://www.garron.me/en/go2linux/how-setup-dns-server-master-slave-bind.html
http://tecadmin.net/step-by-step-installation-and-configuration-openldap-server-and-freeradius/#
http://www.zytrax.com/books/ldap/ch5/
http://computernetworkingnotes.com/network-administrations/dns-server.html
http://www.unixmen.com/dns-server-installation-step-by-step-using-centos-6-3/
/etc/named.conf
//
// /etc/named.conf
//
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };
// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
zone "." IN {
type hint;
file "root.hint";
};
//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
Create a Master Zone
To create a master zone, edit the file named.conf and add the following, in this example, I will create a zone for the domain linux10.com
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { none; };
};
Then create the file linux10.com.zone in the folder stated in your options section of named.conf file.
The file should look at least like this:
$ORIGIN .
$TTL 86400 ; 1 day
linux10.com IN SOA primary.server.com. your.email.address. (
2010122801 ; serial
7200 ; refresh (2 hous)
7200 ; retry (2 hours)
2419200 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS scz.alketech.com.
NS ns1.alketech.com.
A 10.1.1.1 ; If you want to assign a server to your domain
MX 10 mx1 ; Your email server if you have any
MX 20 mx2 ; Your secondary email server if you have one
$ORIGIN linux10.com.
www A 1.2.3.4 ; The IP of your web server if you want to have one.
mx1 A 1.2.3.5 ; The IP of your mx1 server
mx2 A 1.2.3.6 ; The IP of your mx2 server
Of course yours may have more or less lines and servers according to your needs.
Configure a DNS slave server with BIND
It is a good idea, to have slave server in case your master server is not reachable at any time.
Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.
For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).
Enable AXFR transfers
Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};
Now create the slave zone in your slave servers.
On the slave server named.conf file you need to configure the slave zone, like this:
zone "linux10.com" {
type slave;
file "linux10.com.zon";
masters { 1.2.3.4; };
allow-transfer { none; };
};
Testing the configuration
dig @your.master.server your.domain.com ns
Example:
dig @scz.alketech.com linux10.com ns
You should get something like this:
; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;linux10.com. IN NS
;; ANSWER SECTION:
linux10.com. 14400 IN NS scz.alketech.com.
linux10.com. 14400 IN NS ns1.alketech.com.
;; ADDITIONAL SECTION:
ns1.alketech.com. 14400 IN A 200.87.59.3
scz.alketech.com. 14400 IN A 200.87.61.83
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE rcvd: 106
Final tunings
It is a good idea to disable recursion in your authoritative servers, either master or slave.
To do this, in your options section insert these lines
acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;
Be sure to include this in the options section of the file /etc/named.conf for Arch Linux and Slackware and /etc/bind/named.conf.options for Debian.
Only for Slackware and Arch Linux
For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this
On Arch Linux, edit the /etc/rc.conf file, and add it, to the daemons list
On Slackware, make the file /etc/rc.bind executable
permalink
If you enj
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
http://tecadmin.net/step-by-step-installation-and-configuration-openldap-server-and-freeradius/#
http://www.zytrax.com/books/ldap/ch5/
http://computernetworkingnotes.com/network-administrations/dns-server.html
http://www.unixmen.com/dns-server-installation-step-by-step-using-centos-6-3/
/etc/named.conf
//
// /etc/named.conf
//
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };
// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
zone "." IN {
type hint;
file "root.hint";
};
//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
Create a Master Zone
To create a master zone, edit the file named.conf and add the following, in this example, I will create a zone for the domain linux10.com
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { none; };
};
Then create the file linux10.com.zone in the folder stated in your options section of named.conf file.
The file should look at least like this:
$ORIGIN .
$TTL 86400 ; 1 day
linux10.com IN SOA primary.server.com. your.email.address. (
2010122801 ; serial
7200 ; refresh (2 hous)
7200 ; retry (2 hours)
2419200 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS scz.alketech.com.
NS ns1.alketech.com.
A 10.1.1.1 ; If you want to assign a server to your domain
MX 10 mx1 ; Your email server if you have any
MX 20 mx2 ; Your secondary email server if you have one
$ORIGIN linux10.com.
www A 1.2.3.4 ; The IP of your web server if you want to have one.
mx1 A 1.2.3.5 ; The IP of your mx1 server
mx2 A 1.2.3.6 ; The IP of your mx2 server
Of course yours may have more or less lines and servers according to your needs.
Configure a DNS slave server with BIND
It is a good idea, to have slave server in case your master server is not reachable at any time.
Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.
For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).
Enable AXFR transfers
Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};
Now create the slave zone in your slave servers.
On the slave server named.conf file you need to configure the slave zone, like this:
zone "linux10.com" {
type slave;
file "linux10.com.zon";
masters { 1.2.3.4; };
allow-transfer { none; };
};
Testing the configuration
dig @your.master.server your.domain.com ns
Example:
dig @scz.alketech.com linux10.com ns
You should get something like this:
; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;linux10.com. IN NS
;; ANSWER SECTION:
linux10.com. 14400 IN NS scz.alketech.com.
linux10.com. 14400 IN NS ns1.alketech.com.
;; ADDITIONAL SECTION:
ns1.alketech.com. 14400 IN A 200.87.59.3
scz.alketech.com. 14400 IN A 200.87.61.83
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE rcvd: 106
Final tunings
It is a good idea to disable recursion in your authoritative servers, either master or slave.
To do this, in your options section insert these lines
acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;
Be sure to include this in the options section of the file /etc/named.conf for Arch Linux and Slackware and /etc/bind/named.conf.options for Debian.
Only for Slackware and Arch Linux
For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this
On Arch Linux, edit the /etc/rc.conf file, and add it, to the daemons list
On Slackware, make the file /etc/rc.bind executable
permalink
If you enj
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
No comments:
Post a Comment