Part III Advanced DNS Functions
l Chapter 7 Bind
ACL
l Chapter 8
Spilt DNS: VIEW
l Chapter 9
Dynamic DNS Update
l Chapter 10 How
to use Client tools
– nslookup, dig, host
Chapter 9
Bind ACL
1. Access Control List
(/etc/named.conf)
§ Access control list is a list of semi-colon
separated IP addresses, networks, or named access control lists
§ Makes the configuration easier to read and
maintain
acl "mylist" { 192.168.80/24; 192.168.1.12; };
acl “slave”
{ 192.168.80.6; };
2. Allow Query and Transfer using ACL
options {
directory "/var/named";
allow-query { mylist; };
allow-transfer { slave; };
};
3. Restricting Recursive Queries
a. Restrict all recursive queries
recursion
no; or allow-recursion { none; };
b. Allow recursive query for only
my internal network
allow-recursion { mylist; };
4. Blackhole
a. Statement provides a way to completely ignore all
queries from a host or network and used for spam blocking
b. How
to use Blackhole
# vi
/etc/named.conf
acl
blacklist { 210.10.10.1; 192.168.10.1; 162.168.20.0/24; };
acl
spoofnetwork { 0.0.0.0/8; 10.0.0.0/8; 224.0.0.0/8; 192.168.0.0/16; };
blackhole { blacklist; spoofnetwork; };
5. DNS Forwarders
a. DNS server on a network used to forward DNS
queries for external DNS names to DNS servers outside of that network
b. /etc/named.conf
# Forward all DNS queries to the Google Public DNS
options {
forwarders
{ 8.8.8.8; 8.8.4.4; };
forward
only;
zone “chul.com" in {
type
forward;
forwarders
{ 192.168.1.1; 10.10.1.1; }; };
Chapter 10
VIEW
1. What is VIEW?
a. Name server
normally provides one view of the DNS namespace
b. Different hosts
can be shown different views of a zone by the server
• Most hosts see public
DNS information
• Some hosts see
private DNS information; those hosts may be behind a firewall
• A "split namespace"
2. Defining Views
a. match-clients
defines which clients see which view
• Order is important;
first match applies
b. Most things can be
declared in a view
• ACLs can be used but not
defined in a view
• If even one view is
defined, all zones must be defined inside a view or is possible
to use keyword ‘include’
•
3. VIEW Example (/etc/named.conf)
•
acl "internal" { 127/8;
192.168.80/24; };
•
acl “slave” { 192.168.80.6; };
•
options {
•
directory
"/var/named";
•
recursion
no;
•
};
•
view "internal" {
•
match-clients
{ "internal"; };
•
recursion
yes;
•
zone “chul.com" IN {
•
type
master;
•
file
“chul.zone-internal"; };
•
};
•
•
view “external" {
•
match-clients
{ any; };
•
allow-transfer
{ slave; };
•
zone “chul.com" IN {
•
type
master;
•
file
“chul.zone"; };
•
allow-update
{ none; };
•
};
4. Zone file
a. External file - /var/named/chul.zone
$TTL 604800
@ IN SOA
ns.chul.com. root.chul.com. (
@ IN NS
ns
IN MX
10 ms1
IN A
192.168.80.5
ns IN A
192.168.80.5
ms1 IN A
192.168.80.5
www IN A
192.168.80.5
b. Internal file - /var/named/chul.zone-internal
$include
"/var/named/chroot/var/named/chul.zone"
@ IN
A 10.1.1.1
boss IN
A 10.1.1.2
printer IN A
10.1.1.3
lab IN
A 10.1.1.4
5. VIEW Testing
# host –a www.chul.com
# host –a printer
Chapter 11 Dynamic DNS Update
1. Dynamic DNS Update
The ability for a network device using an Internet
protocol to notify a DNS server to change in real time, the DNS configuration
of it’s hostnames, addresses, or other information held on the server.
2. DDNS
Configuration
a. Using
allow-update (/etc/named.conf)
zone
"chul.com" IN {
type master;
file "chul.zone";
allow-update { 192.168.80.6; };
b. Using a
key
# ddns-confgen –a hmac-md5 –z chul.com
# vi /etc/named.conf
key
"ddns-key.chul.com" {
algorithm hmac-md5;
secret "vR13+8uieIGKDzgBziSVkw==";
};
zone
"chul.com" IN {
type master;
file "chul.zone";
update-policy {
grant ddns-key.chl.com zonesub
ANY; };
};
# cat
/etc/named/ddns-key.chul.com //
copy Key from /etc/named.conf
3.Dynamic
DNS Update Testing
a. Adding
new host
# chmod
770 /var/named/chroot/var/named
# nsupdate
–k /etc/named/ddns-key.chul.com
>
server ns.chul.com
> zone
chul.com
>
update add test.chul.com 3600 A 192.168.80.3
> send
> show
# host –a
test.chul.com
b.
Deleting new host
# nsupdate
–k /etc/named/ddns-key.chul.com
>
server ns.chul.com
> zone
chul.com
>
update delete test.chul.com
> send
> show
# host –a
test.chul.com
Chapter 12 How to use Client tools
1.
Nslookup
# nslookup
www.chul.com
# nslookup
–query=mx redhat.com
# nslookup
–type=ns redhat.com
# nslookup
–type=soa redhat.com
# nslookup
–type=any chul.com
# nslookup
google.com ns.chul.com
# nslookup
192.168.80.5
2. Dig
# dig
www.chul.com
# dig
chul.com mx or ns or any
# dig
+trace www.google.com
# dig
@ns.chul.com google.com +short ns
# dig
@ns.chul.com chul.com axfr //zone transfer
# dig –x
192.168.80.5 //reverse
lookup
3. Host
# host –t
ns chul.com
# host –t
any chul.com
#
host -al chul.com
# host
www.chul.com
No comments:
Post a Comment