basic-dns-mod5-config
advertisement
Module 5
BIND Configuration
BIND Configuration
named.conf – controls operational
features
Located - Linux:
Located- BSD:
/etc/named.conf
/etc/bind/named.conf
/usr/local/etc/named.conf
Located – Windows:
$systemroot%\system32\dns\etc\named.conf
BIND named.conf
Contains 3 types of info:
Comments
Clauses – collections of statements
Statements – individual statements
within clauses
Include – in-situ inclusion from
separate files (used for
admin/security)
BIND – named.conf
/* C-style comment format needs opening and closing markers
** but allows multiple lines or */
/* single lines or */
zone /* in-line comment does not terminate line */ in {some zone
statements};
// C++-style comments have single line format, no closing required
...some statement; // comment ends this line
# SHELL/PERL-style comments have single lines, no closing required
some statement; # comment ends this line
BIND – named.conf Clauses
ACL – Access Control Lists
Controls – remote acces (rndc)
Logging – controls logging features
Options – global options
View – allows separate configurations in
same server
Zone – defines the zones that are
supported
Key – used for security data (typically
included)
BIND - Statements
Over 120 statements available
Many valid in one or more clauses
Some valid in only single clauses
Pro DNS and BIND classifies them:
Transfer
Query
Operations
Security
BIND – Typical named.conf
// change log
// 1. changed by M.E. on 24th January
acl "name" {...
// acl clauses if present generally come first
// to avoid forward references
};
key "name" {...
// key clauses if present must appear
// before being referenced
};
logging {
// requires at least a file
// statement unless using syslog
// order not important with BIND 9
};
options {
// other statements (as required)
};
// zones statements including 'required' zones
zone {
....
};
BIND – View named.conf
options {
// global options
// other statements as required
};
view "first" {
// view specific statements (options)
// view specific zone clauses
// including required zones
zone {
};
.....
zone {
};
};
// end of view "first"
view "second" {
// view specific statements (options)
// view specific zone clauses
// including required zones
zone {
};
zone {
};
};
// end of view "second"
BIND – View Clause
Each view clause is matched to incoming
queries using:
Match-clients
Match-destinations
Match-recursion-only
View clause order is important
Tested in order in which views are defined
Unmatched fall through to next view clause
BIND – View Clause Use
Mixed Local/public IPs
External – public hosts
Internal – local hosts
Mixed services
Internal caching
External Authoritative
Split horizons
different IPs to different sources
BIND – match-clients
match-clients { address_match_element; ... };
match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };
BIND – match-destinations
match-destinations { address_match_element; ... };
match-destinations { 192.168.0.3; };
BIND – match-recursive-only
match-recursive-only (yes | no);
match-recursive-only yes;
BIND – Match combined
// named.conf fragment
view "recursive-external" {
match-clients {!10.2.3.4/24;};
match-recursive-only yes;
// other view statements
zone "example.com" in {
....
};
};
BIND Logging
defaults logs to syslog or MS Events
logging clause is very powerful
(complex!)
Single or multiple files (channels)
type of output (category)
severity of message
BIND Logging Clause
logging {
[ channel channel_name {
( file path name
[ versions ( number | unlimited ) ]
[ size size_spec ]
| syslog syslog_facility
| stderr
| null );
[ severity (critical | error | warning | notice |
info | debug [ level ] | dynamic ); ]
[ print-category yes | no; ]
[ print-severity yes | no; ]
[ print-time yes | no; ]
}; ]
[ category category_name {
channel_name ; [ channel_name ; ... ]
}; ]
...
};
BIND Logging Example
// log to /var/log/named/example.log all events from info UP in severity (no
debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages up to this point are in (syslog) /var/log/messages
//
logging{
channel example_log{
file "/var/log/named/example.log" versions 3 size 250k;
severity info;
};
category default{
example_log;
};
};
BIND – zone Clause
Defines the zones to be supported
Authoritative zones
Root-server zone (hints)
Special zones
Loopback address (forward/reverse)
Local IPs (RFC 1918 - reverse map)
IPv4/Ipv6 as required
BIND – Required zones
Caching DNS
Root-servers (hints)
Loopback (forward/reverse)
Local IPs (IPv4/IPv6)
Authoritative DNS
Zones supported
Loopback (forward/reverse)
BIND – caching zones
// required zone for recursive queries
zone "." {
type hint;
file "root.servers";
};
// required local host domain
zone "localhost" in{
type master;
file "master.localhost";
allow-update{none;};
};
// localhost reverse map
zone "0.0.127.IN-ADDR.ARPA" in{
type master;
file "localhost.rev";
};
// reverse map for local address at example.com
// uses 192.168.254.0 for illustration
zone "254.168.192.IN-ADDR.ARPA" in{
type master;
file "view/192.168.254.rev.internal";
};
BIND – Authoritative zones
// required zone for authoritative queries
zone "example.com" {
type master;
// private zone files including local hosts
file "master.example.com";
allow-update{none;};
};
// required local host domain
zone "localhost" in{
type master;
file "master.localhost";
allow-update{none;};
};
// localhost reverse map
zone "0.0.127.IN-ADDR.ARPA" in{
type master;
file "localhost.rev";
allow-update{none;};
};
BIND – Close Resolver
Open Caching DNS (Resolver)
can be used in DDoS
Defaults to recursion yes;
Closed Caching DNS (Resolver)
Limit IPs allowed to access
use allow-recursion {x.x.x.x;};
From BIND 9.4 if no limits defaults to
allow-query-cache {localnets;localhost;};
Implicit is not good
BIND - OPEN Resolvers
BIND Closed Resolver
# Authoritative only
# inhibit all recursion
recursion no;
# Any Resolver (caching) function
recursion yes; // default!
# use an appropriate local address scope statement
# to limit recursion requests to local users
allow-recursion {192.168.2.0/24;}; // change IPs as required
# OR if the DNS server's IPs and netmasks cover the whole
# local network you can use:
allow-recursion {"localnets";};
# OR if a personal system
# hard limits on reading
listen-on {127.0.0.1;}; // or listen-on {localhost;};
listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;};
# OR
allow-recursion {"localhost";};
Quick Quiz
BIND’s configuration file name?
One path to this file on Linux?
Name two types of clauses?
What is the view clause used for?
One BIND statement used to control view
clauses?
Is the hints file necessary for an
Authoritative only DNS?
Why do you need a reverse map for RFC
1918 Ips?
Configure BIND9 on PC
Check IP address (command prompt-> ipconfig)
From directory module-5-config copy
named.conf.win-cache
root.servers
master.localhost
localhost.rev
to c:\windows\sysWOW64\dns\etc
rename named.conf.win-cache to named.conf
Stop MS DNS client - Start ISC BIND service
http://zytrax.com/books/dns/ch5/win2k.html
Configure BIND9 on *nix
Check IP address (command prompt-> ifconfig)
From directory module-5-config copy
named.conf.unix-cache
root.servers
master.localhost
localhost.rev
192.168.192.rev
to /etc or /usr/local/etc as appropriate
edit named.conf.unix-cache as required
rename named.conf.unix-cache to named.conf
Start BIND9 (service named start)
http://zytrax.com/books/dns/ch5
Exercise – BIND Configuration
Save zone file master.example.com as
master.example.net
Change all necessary names
Add Second MX server (lower priority)
server using mail1.example.net
Address record for mail1.example.net (IP
192.168.2.0)
Add zone example.net to named.conf
