DNS Server usng BIND on CentOS 6.4 - 3

Part III  Advanced DNS Functions

l  Chapter 7 Bind ACL

l   Chapter 8 Spilt DNS: VIEW

l   Chapter 9 Dynamic DNS Update

l   Chapter 10 How to use Client tools

     – nslookup, dig, host

Chapter 9 Bind ACL

1. Access Control List (/etc/named.conf)

§   Access control list is a list of semi-colon separated IP addresses, networks, or named access control lists

§   Makes the configuration easier to read and maintain

     acl "mylist" { 192.168.80/24;  192.168.1.12; };

     acl  “slave”  { 192.168.80.6; };

2. Allow Query and Transfer using ACL

 options {   

          directory      "/var/named";     

          allow-query    { mylist; };   

          allow-transfer { slave; };

};

3. Restricting Recursive Queries

a. Restrict all recursive queries

          recursion no; or allow-recursion { none; };

b. Allow recursive query for only my internal network

       allow-recursion { mylist; };

4. Blackhole

a. Statement provides a way to completely ignore all queries from a host or network and used for spam blocking

b. How to use Blackhole

# vi /etc/named.conf

acl blacklist { 210.10.10.1; 192.168.10.1; 162.168.20.0/24; };

acl spoofnetwork { 0.0.0.0/8; 10.0.0.0/8; 224.0.0.0/8; 192.168.0.0/16; };

          blackhole { blacklist; spoofnetwork;  };

5. DNS Forwarders

a. DNS server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network

b. /etc/named.conf

# Forward all DNS queries to the Google Public DNS

options {

          forwarders { 8.8.8.8; 8.8.4.4; };

          forward only;

zone “chul.com" in {

          type forward;

          forwarders { 192.168.1.1; 10.10.1.1; };  };

Chapter 10 VIEW

1. What is VIEW?

a. Name server normally provides one view of the DNS namespace

b. Different hosts can be shown different views of a zone by the server

•      Most hosts see public DNS information

•      Some hosts see private DNS information; those hosts may be behind a firewall

•      A "split namespace"

2. Defining Views

a. match-clients defines which clients see which view

•      Order is important; first match applies

b. Most things can be declared in a view

•      ACLs can be used but not defined in a view

•      If even one view is defined, all zones must be defined inside a view or is possible to use keyword ‘include’

•      3. VIEW Example (/etc/named.conf)

•      acl "internal" { 127/8; 192.168.80/24; };

•      acl “slave” { 192.168.80.6; };

•      options {

•      directory "/var/named";

•      recursion no;

•      };

•      view "internal" {

•      match-clients { "internal"; };

•      recursion yes;

•      zone “chul.com" IN {

•      type master;

•      file “chul.zone-internal"; };

•      };

•       

•      view “external" {

•      match-clients { any; };

•      allow-transfer { slave; };

•      zone “chul.com"  IN {

•      type master;

•      file “chul.zone"; };

•      allow-update { none; };

•      };

4. Zone file

a. External file - /var/named/chul.zone

$TTL    604800

@             IN           SOA     ns.chul.com. root.chul.com. (

@              IN           NS       ns

                IN           MX      10 ms1

                 IN           A       192.168.80.5

ns               IN           A       192.168.80.5

ms1            IN           A       192.168.80.5

www           IN           A       192.168.80.5

b. Internal file - /var/named/chul.zone-internal

$include "/var/named/chroot/var/named/chul.zone"

@            IN      A       10.1.1.1

boss           IN      A       10.1.1.2

printer          IN      A       10.1.1.3

lab            IN      A       10.1.1.4

5. VIEW Testing

# host –a www.chul.com

# host –a printer

Chapter 11 Dynamic DNS Update

         

1. Dynamic DNS Update

The ability for a network device using an Internet protocol to notify a DNS server to change in real time, the DNS configuration of it’s hostnames, addresses, or other information held on the server.

2. DDNS Configuration

a. Using allow-update (/etc/named.conf)

zone "chul.com" IN {

            type master;

            file "chul.zone";

            allow-update { 192.168.80.6; };

b. Using a key

# ddns-confgen  –a hmac-md5 –z chul.com

# vi /etc/named.conf

key "ddns-key.chul.com" {

          algorithm hmac-md5;

          secret "vR13+8uieIGKDzgBziSVkw==";

};

zone "chul.com" IN {

            type master;

            file "chul.zone";

            update-policy {

                            grant ddns-key.chl.com zonesub ANY;  };

};

# cat /etc/named/ddns-key.chul.com        // copy Key from /etc/named.conf

3.Dynamic DNS Update Testing

a. Adding new host

# chmod 770 /var/named/chroot/var/named

# nsupdate –k /etc/named/ddns-key.chul.com

> server ns.chul.com

> zone chul.com

> update add test.chul.com 3600 A 192.168.80.3

> send

> show

# host –a test.chul.com

b. Deleting new host

# nsupdate –k /etc/named/ddns-key.chul.com

> server ns.chul.com

> zone chul.com

> update delete test.chul.com

> send

> show

# host –a test.chul.com

Chapter 12 How to use Client tools

1. Nslookup

# nslookup www.chul.com

# nslookup –query=mx redhat.com

# nslookup –type=ns redhat.com

# nslookup –type=soa redhat.com

# nslookup –type=any chul.com

# nslookup google.com ns.chul.com

# nslookup 192.168.80.5

2. Dig

# dig www.chul.com

# dig chul.com mx or ns or any

# dig +trace www.google.com

# dig @ns.chul.com google.com +short ns

# dig @ns.chul.com chul.com axfr             //zone transfer

# dig –x 192.168.80.5                        //reverse lookup

3. Host

# host –t ns chul.com

# host –t any chul.com

# host  -al chul.com

# host www.chul.com