Table des matières

Notes DNS Bind9
Install DNS Server Bind9

Réseau, DNS

Notes DNS Bind9

Voir:

CIS ISC BIND DNS Server Benchmark

Alternative à Bind :

unbound
PowerDNS
Knot DNS
CoreDNS (cncf.io)

Import / Export

Si le transfert de zone est activé

Dig gère directement

dig -t AXFR @127.0.0.1 acme.fr  > /etc/bind/db.acme.fr

Si le transfert de zone n'est pas activé on peut toujours essayer

dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr

Possibilité de travailler un peu ça (script oneshot un peu pas beau, désolé)

dig2bind.sh

#! /bin/bash
 
TTL=$(dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |awk '{print $2}' |sort -u)
 
 
echo -e "\$TTL\t$TTL"
 
dig @127.0.0.1 +nocmd +multiline +noall +answer SOA acme.fr |sed -e 's/^acme.fr./@/' | perl -p -e "s/$TTL// if /IN SOA/" | perl -p -e 's/\t+/\t/ if /IN SOA/'
 
dig acme.fr -t AXFR @127.0.0.1 |egrep -v '^;|^$' |sed -e 's/^acme.fr./@/' |perl -p -e "s/$TTL//" |perl -p -e 's/.acme.fr.//g if /IN/' |perl -ne 'print unless $a{$_}++' | perl -p -e 's/\t+/\t/g' | grep -v SOA

bash dig2bind.sh  > /etc/bind/db.acme.fr

Slave

On slave

Port 53 must be open on Slave (if Notify)

/etc/bind/named.conf.local

zone "local" {
  type slave;
  masters { 192.168.15.211; }; // IP of master
  allow-notify { 10.8.15.215; };
  file "/var/lib/bind/db.local";
  allow-transfer { none; } ;
};

On Master

/etc/bind/named.conf.local

zone "local" {
        type master; 
        file "/etc/bind/db.local";
        allow-transfer { localhost; 192.168.16.45; }; // IP of Slave
        notify yes;
};

/etc/bind/db.local

@               IN      NS      ns1.local.
ns1             IN      A       192.168.16.45

Change serial in db.local and reload

Forwarder

Il peut-être nécessaire de modifier allow-query

/etc/bind/named.conf.options

        forwarders {
                80.67.169.12;
                80.67.169.40;
        };
        allow-query { any; };

Récursion

Voir http://www.coursnet.com/2014/12/les-requetes-dns-recursives-iteratives.html

/etc/named.conf

options {
 
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;
 
        /*
        ...
        */
 
};

Désactiver IPV6

Si l'on n'utilise pas l’IPv6, on peut désactiver le protocole en éditant /etc/sysconfig/named

OPTIONS="-4"

Il faudra également ajouter une option à /etc/named.conf.

/etc/named.conf

options {
  directory "/var/named";
  filter-aaaa-on-v4 yes;
};

source : https://blog.microlinux.fr/bind-centos-7/

Install DNS Server Bind9

Notes

DNS use port TCP:53 and UDP:53

Install

apt-get install bind9 bind9utils dnsutils

/etc/bind/named.conf.local

zone "local" {
        type master;
        file "/etc/bind/db.local";
        allow-transfer { 10.8.16.47; };
        notify yes;
};

/etc/bind/db.local

$TTL    604800                                                                                                                                        
@               IN SOA dns.local. root.dns.local. (                                                                                                       
                                2015121606 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
 
@               IN      NS      dns.local.
@               IN      NS      ns1.local.
@               IN      A       10.8.15.215
dns             IN      A       10.8.15.215
ns1             IN      A       10.8.16.47
 
bastion         IN      A       10.8.16.190
proxy           IN      CNAME   bastion
ldap            IN      A       10.8.16.201

If server must forward

/etc/bind/named.conf.options

        forwarders {
                10.8.15.1;
        };
        allow-query { any; };

/etc/bind/.gitignore

*.key
*.keys
db.0
db.127
db.255
db.empty
db.local
db.root

Reload

rndc reload

Check

named-checkconf
named-checkzone local /etc/bind/db.local
 
#service bind9 reload
rndc reload local
 
service bind9 status
 
dig +short @127.0.0.1 bastion.local

Configure GNU/Linux client

Infra VM

/etc/resolv.conf

#domain local
search local
#options rotate timeout:1 retries:1
#options edns0
nameserver 10.8.15.215

VPN clients

/etc/resolv.conf

#domain local
search local
#options rotate timeout:1 retries:1
nameserver 10.9.0.1

Prevent DHCP to change /etc/resolv.conf

chattr +i /etc/resolv.conf
 
lsattr /etc/resolv.conf

: A tester avec SystemD (/etc/systemd/resolved.conf)

On openvpn-it1 (DNS Slave)

/etc/bind/named.conf.local

zone "local" {
  type slave;
  masters { 10.8.15.215; };
  allow-notify { 10.8.15.215; };
  file "/var/lib/bind/db.local";
  allow-transfer { 10.9.0.21; } ;
};

Autres

for fqdn in $(rgrep 192.168.10.22 /etc/bind/zones |sed -e 's%^/etc/bind/zones/%%' -e 's%.db%%' |awk '{print $1}' |awk -F':' '{print $2 "." $1 }'  |sed -e 's%^@.%%' |sort -n) ; do host $fqdn ; done |grep 'has address 192.168.10.22' |awk '{print $1}'

Get TTL

dig +ttlunits +noall +answer @127.0.0.1 example.org