DNS

From Athenaeum
Jump to: navigation, search

DNS Administration

  • DNS administration is done by Secure Shell login to both name servers. Your user login must belong to the 'admin' users group on each server.
    • ns1.datotel.com - 208.75.82.154
    • ns2.datotel.com - 208.75.82.155
  • If you make changes to a zone or a bind configuration file make sure to run either of these two commands:
    • To check the syntax of bind's config files: named-checkconf
    • To check the syntax of bind's zone files: named-checkzone
      • Ex: named-checkzone datotel.com /var/cache/bind/datotel/zone.datotel.com
  • Keys
    • rndc.key - Used to control external/internal control of bind by rndc
    • TRANSFER.key - Used to authenticate communication between the master and slave name servers
      • This is a shared key and must be the same on both servers.

RNDC

  • Control of Bind (DNS Server) is done through a program called rndc
  • Only in extreme cases will you ever need to restart the bind service. Any configuration changes can be made effective through rndc.

Sample RNDC Commands

  • To quickly see the status of the bind daemon: rndc status
  • Reload only a changed zone: rndc reload "zone you changed"
    • Ex: rndc reload datotel.com
  • Reload the entire Bind configuration: rndc reload
    • Reload is only effective against zones bind has knowledge of.
  • If you need to add a zone or make changes to a bind config file you will need to use: rndc reconfig
    • Reconfig is only effective against zones bind has no knowledge of.
    • To see bind stats use: rndc stats
      • Stats can then be found in: /var/log/named/named.stats

SOA Records Explained

Caching and time to live
Because of the huge volume of requests generated by a system like the DNS, the designers wished to provide a mechanism to reduce the load on individual DNS servers. The mechanism devised provided that when a DNS resolver (i.e. client) received a DNS response, it would cache that response for a given period of time. A value (set by the administrator of the DNS server handing out the response) called the time to live, or TTL defines that period of time. Once a response goes into cache, the resolver will consult its cached (stored) answer; only when the TTL expires (or when an administrator manually flushes the response from the resolver's memory) will the resolver contact the DNS server for the same information.

Generally, the time to live is specified in the Start of Authority (SOA) record. SOA parameters are:

Serial — the zone serial number, incremented when the zone file is modified, so the slave and secondary name servers know when the zone has been changed and should be reloaded.
Refresh — This is the number of seconds between update requests from secondary and slave name servers.
Retry — This is the number of seconds the secondary or slave will wait before retrying when the last attempt has failed.
Expire — This is the number of seconds a master or slave will wait before considering the data stale if it cannot reach the primary name server.
Minimum — Previously used to determine the minimum TTL, this is used for negative caching. This is the default TTL if the domain does not specify a TTL.
TTL - The number of seconds a domain name is cached locally before expiration and return to authoritative nameservers for updated information.

ns1.datotel.com

Server Configuration

  • Work in Progress...

Create A New Master Zone (Domain)

  • Login to ns1.datotel.com via SSH
  • Switch to root user
[email protected]:~$sudo bash
  • Change working directory to /var/chroot/named/var/cache/bind/
  • Create new client directory ("netlabs" will be used as an example)
[email protected]:/var/chroot/named/var/cache/bind#mkdir ./netlabs
  • Change working directory to newly created directory
[email protected]:/var/chroot/named/var/cache/bind#cd ./netlabs
  • Create a new zone file (vi is used here but any text editor will work)
[email protected]:/var/chroot/named/var/cache/bind/netlabs#vim ./zone.netlabs.biz
  • Your new zone file should contain information similar to what is shown below:
$ORIGIN .
$TTL 900        ; 12 hours
netlabs.biz             IN SOA  ns1.datotel.com. sysadmin.netlabs-sp.com. (
                                2007050401 ; serial
                                43200      ; refresh (12 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.datotel.com.
                        NS      ns2.datotel.com.
                        MX      10 smtp1.datotel.com.
                        MX      10 smtp2.datotel.com.
                        A       208.75.80.40

$ORIGIN netlabs.biz.
fw                      A       63.78.188.29
www                     CNAME   netlabs.biz.
ftp                     CNAME   netlabs.biz.
mail                    A       208.75.80.38
vpn                     A       208.75.80.34
asterisk                A       63.78.188.23
  • $ORIGIN. designates the start of this zone file
  • $TTL is the default expiration time of a resource record without its own TTL value. The number listed is the amount of time in seconds the zone will live in any authoritative name server cache and effects the amount of time changes will take to propagate to higher level name servers
  • netlabs.biz is the Start of Authority definitions for the netlabs.biz domain. The primary name servers and administrative contact are listed here.
  • 2007050401 is the serial number of the zone file. The serial number is used as an identifier by the master and slave name servers to determine if the zone up to date. The format of the serial number is YYYYMMDDss, where ss=01-99.
  • 43200 is the amount of time before a zone is refreshed in the memory of the master and slave name servers.
  • 3600 is the amount of time before a name server will retry loading the zone file.
  • 1209600 is the amount of time before the zone will expire then flushed from memory.
  • 3600 is the minimum value any time entries can have
  • NS, MX, A, and CNAME are resource records which define name resolution to IP address.
  • $ORIGIN netlabs.biz. begins the section of the zone file which defines subdomains for the netlabs.biz domain.
  • Save and close the new zone file.
<esc>:wq
  • Open BIND named.conf.local file.
[email protected]:~#vim /var/chroot/named/etc/named.conf.local
  • Add newly created zone information.
zone  "netlabs.biz" {
        type master;
        allow-transfer { key TRANSFER; };
        file  "netlabs/zone.netlabs.biz";
};
  • type master; signifies this is the master zone file.
  • allow-transfer { key TRANSFER; }; refers to needed security measures against malicious intentions.
  • file "... defines zone file location.
  • All entries must end with }; to signify the end of a domain entry.
  • Save and close the file.
  • Reload the new configuration into the DNS cache.
[email protected]:~#rndc reconfig

Create A New Slave Zone (Domain)

  • This is done on rare occasions when customers want geographically diverse name servers but still want control of the master zone records.
  • In this case we add a slave zone directive on our primary name server that points to their primary name server as the master. The customer can then use ns1.datotel.com as their secondary name server.
  • Login to ns1.datotel.com via SSH.
  • Open named.conf.local.
[email protected]:~$sudo vim /var/chroot/named/etc/bind/named.conf.local
  • Add secondary(slave) entry
zone  "example.com" {
        type slave;
        masters { 208.75.81.120; };
        file "slaves/zone.example.com";
};
  • type slave; signifies slave name server.
  • masters { 208.75.82.154; }; defines master server host. IP address listed is the name server from which zone transfers will come from.
  • file "..." defines zone file location.
  • Save and close file.
  • Reload the new configuration into the DNS cache.
[email protected]:~$sudo rndc reconfig
  • zone.example.com should now appear in the /var/chroot/named/var/cache/bind/slaves directory.

Deleting a Zone Record

  • Login to ns1.datotel.com via SSH
  • Switch to root user
[email protected]:~$sudo bash
  • Change working directory to /var/chroot/named/var/cache/bind/
  • Open the named.conf.local file. ("datotel" will be used as an example)
[email protected]:/var/chroot/named/var/cache/bind/#nano ./named.conf.local
  • If the customer has requested only a single domain to be removed, find and remove the zone record definition.
  • If the customer has requested to be completely removed from our name servers, remove every zone record definition. Continued Here
zone  "datotel.com" {
        type master;
        allow-transfer { key TRANSFER; };
        file  "netlabs/zone.datotel.com";
}
  • Save and close the named.conf.local file.
  • You can now issue an rndc reload.
  • Execute the following command to confirm that bind has removed the zone record.
[email protected]:~$grep removed /var/log/syslog | tail
  • If the reload was successful, the previous command will return a line that looks like this "...zone datotel.com/IN: (master) removed"
  • If you do not see this line, contact an engineer for further assistance.


Remove every zone record definition, save and close the named.conf.local file.

  • You can now issue an rndc reload.
  • Execute the following command to confirm that bind has removed the zone records.
[email protected]:~$grep removed /var/log/syslog | tail
  • If the reload was successful, the previous command will return a line(s) that looks like this "...zone datotel.com/IN: (master) removed"
  • If you do not see these line(s), contact an engineer for further assistance.
  • Change working directory to /var/chroot/named/var/cache/bind/
  • Delete the client's folder.
[email protected]:/var/chroot/named/var/cache/bind/#rm -rv ./datotel

ns2.datotel.com

Server Configuration

  • Bind runs as the user bind in group bind
  • DNS config for the server itself should be:
nameserver 127.0.0.1
nameserver 208.75.82.154
nameserver 208.75.82.155
  • An AppArmor profile is used to restrict bind's access to the rest of the system. Therefore, the traditional bind chroot jail has not be configured on this server.
  • The apparmor-profiles package has also been installed (activating 20+ profiles in complain mode)
  • The logging location for bind is /var/log/named/
  • Config file conventions
    • Global (top level) directives go in /etc/bind/named.conf
    • Options go in /etc/bind/named.conf.options
    • Zone directive includes go in /etc/bind/named.conf.local
      • There is a customers folder in /etc/bind that holds the named.conf zone definitions for each customer.
      • Each customer file then gets included into named.conf.local
    • Local zone directives go in /etc/bind/named.conf.default-zones

Create A New Slave Zone (Domain)

  • Login to ns2.datotel.com via SSH
  • Switch to the root user
[email protected]:~$sudo bash
  • Change working directory to /etc/bind/customers
  • Create a file to hold zone directives and add the required slave zones to the container. ("datotel" will be used as an example)
[email protected]:/etc/bind/customers#nano ./datotel.zones
  • Your new zones file should contain information similar to what is shown below for each of the customer's domains (datotel.net, datotel.com, etc.):
zone  "datotel.com" {
        type slave;
	masters { 208.75.82.154; };
        file  "datotel/zone.datotel.com";
};
  • type slave; signifies slave name server.
  • masters { 208.75.82.154; }; defines master server host. IP address listed is the name server from which zone transfers will come from.
  • file "..." defines zone file location.
    • For ns2 this location is /var/cache/bind/...
  • Change back to /etc/bind/ and append an include to ./named.conf.local pointing to the new zones file:
include "/etc/bind/customers/datotel.zones";
  • Change working directory to /var/cache/bind
  • Create a directory for the customer
[email protected]:/var/cache/bind#mkdir ./datotel
  • Change the ownership to bind.bind
[email protected]:/etc/bind/customers#chown bind.bind ./datotel
  • Check the bind configuration.
[email protected]:~$ named-checkconf
  • Reload the new configuration into the DNS cache.
[email protected]:~$ rndc reconfig
  • Check to see if the zone transfer succeded with this command:
[email protected]:~$ tail /var/log/named/named.log | grep transferred