![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-02-09
介紹
BIND (Berkeley Internet Name Daemon) also known as NAMED
目錄
- Install
- Check Version
- Run it
- Chroot
- Listen Setting
- Reload(signal)
- Log settings
- Recursion
- 被攻擊的 DNS 可能
- zone
- Record Setting
- Record Format
- Record TTL
- ACL
- Blackhole
- Query
- Returned order
- Performance
- Forwarder
- allow-update - update by key
- notify (DNS BIND Zone Transfers and Updates)
- Slave
- Compile bind9
- geoip
- rndc
- block-dns-ddos script
Install
Centos6:
yum install bind-utils bind
OR
yum install bind-utils bind bind-chroot
# bind-chroot: A chroot runtime environment for the ISC BIND DNS server
/var/named/chroot /var/named/chroot/dev /var/named/chroot/dev/null /var/named/chroot/dev/random /var/named/chroot/dev/zero /var/named/chroot/etc /var/named/chroot/etc/localtime /var/named/chroot/etc/named /var/named/chroot/etc/named.conf /var/named/chroot/etc/pki /var/named/chroot/etc/pki/dnssec-keys /var/named/chroot/usr /var/named/chroot/usr/lib /var/named/chroot/usr/lib/bind /var/named/chroot/var /var/named/chroot/var/log /var/named/chroot/var/named /var/named/chroot/var/run /var/named/chroot/var/run/named /var/named/chroot/var/tmp
Those files are mounted
/etc/named.conf /etc/rndc.conf /etc/rndc.key /etc/named.rfc1912.zones /etc/named.dnssec.keys /etc/named.iscdlv.key
Check Version
named -v
BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
Run it by command
/usr/local/bind/sbin/named -c /usr/local/bind/etc/named.conf
- -4 IPv4 only
- -c config-file Default: /etc/named.conf
- -f foreground
- -u user
- -v version number
- -V version number and build options
Disable the IPv6 listen
named.conf
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
Disable the IPv6 lookups
"/etc/sysconfig/named"
OPTIONS="-4"
-4 # Use IPv4 only even if the host machine is capable of IPv6.
Checking
ps aux | grep named
filter-aaaa-on-v4 Setting
filter-aaaa-on-v4 break-dnssec;
BIND 9 must be compiled with a special build-time option (./configure --enable-filter-aaaa)
filter-aaaa-on-v4 yes;
If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.
filter-aaaa-on-v4 break-dnssec;
AAAA records will be omitted even if they are signed.
RRSIG records covering type AAAA will be omitted as well.
Chroot 設定
Chroot Environment initialization script will mount the configuration files using the mount –bind command,
There is no need to copy anything into the /var/named/chroot/ directory
Setting
/etc/sysconfig/named
ROOTDIR=/var/named/chroot
Config Service
systemctl disable named
systemctl enable named-chroot
systemctl start named-chroot
# start service 後, 會有特別的 mount point
mount | grep chroot
Those directories are automatically mounted to chroot
/var/named/chroot/etc/named /var/named/chroot/etc/named.root.key /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/rndc.key /var/named/chroot/usr/lib64/bind /var/named/chroot/etc/named.iscdlv.key /var/named/chroot/etc/localtime /var/named/chroot/run/named /var/named/chroot/var/named
Package: bind-chroot
This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package.
- /usr/lib/systemd/system/named-chroot-setup.service
- /var/named/chroot/*
- ...
Comment
name.conf
//
Listen setting
# 設定 listen 什麼 port
port 53;
listen-on
# 選擇 listen 那個 interface.
# Multiple listen-on statements are allowed.
listen-on [ port ip_port ] { address_match_list };
原本是
listen-on port 53 { 127.0.0.1; };我的設定
# x.x.x.x 係 WAN Interface 的 IP
listen-on port 53 { 127.0.0.1; x.x.x.x; };OR
listen-on port 53 { any;};listen-on-v6
# turns on BIND to listen for IPv6 queries.
# Multiple listen-on-v6 statements are allowed.
i.e.
listen-on-v6 {any;};
listen-on-v6 {none;};
Reload(signal)
SIGHUP(1) # Force a reload of the server.
SIGINT, SIGTERM(15) # Shut down the server.
ps aux
root 26436 0.0 2.0 13928 10352 ? Ss Oct22 0:00 /usr/local/bind/sbin/named
-c /usr/local/bind/etc/named.conf
root 26444 0.0 2.0 13912 10340 ? Ss Oct22 0:08 /usr/local/bind/sbin/named要兩個 process 都要 kill -1 一次才 reload 到 !!
Log settings
log 一共要設定兩樣東西, 分別是
- channel # 設定 log 到那裡去 (file | rsyslog)
- category # log 什麼. 當沒有設定時, default log 到 /var/log/messages
channel
channel_name:
channel channel_name ; [ channel_name ; ... ]
Standard (pre-defined) values:
- "default_debug"
- "default_stderr" output to stderr (normally the console)
- "default_syslog" log everything to syslog (default logging destination)
- "null" discard all log entries
channel 的設定:
severity:
# lower levels will not be logged
ritical # only critical errors.
error # error and above.
warning # warning and above.
notice # notice and above.
info # info and above - log starting to get chatty.
debug # debug and above. Various debug levels can be defined with 'debug 0' meaning no debugging.
dynamic # debug and above.
syslog:
syslog syslog_facility
'syslog' indicates that this channel will use syslogd logging features
null:
# From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'.
'null' writes to /dev/null
print-X:
# The default is 'no'.
print-time yes; print-severity yes; print-category yes;
log file 的 size 與 versions:
# limit to the file size to 128M
# Version files are created by BIND by appending .0, .1 etc
# .0 will always contain the last log information
file "data/named.log" versions 4 size 128m;
Log Rolling 策略
- size AND versions => rolled
- NO size AND a versions => rolled (BIND is restarted)
- size AND NO versions => size limit is reached BIND will stop logging
Category
有 default, general, queries, update, resolver, security, xfer-in, xfer-out ...
queries
Logs all query transactions.
default
Logs all values which are not explicitly defined in category statements
general
Anything that is not classified as any other item in this list defaults to this category.
general: zone xxx.org/IN: expired connect(fe80::#53) 22/Invalid argument socket.c:5268: unexpected error:
network
Logs all network operations.
client
Processing of client requests.
update
notify # Logs all NOTIFY operations.
update # Logging of all dynamic update (DDNS) transactions
update-security # Approval and denial of update requests used with DDNS.
security
Approval and denial of requests.
security: client x.x.x.x#59586: query (cache) 'xxx.org/A/IN' denied
zone transfers
xfer-in
xfer-out
lame-servers
Lame servers. Mis-configuration in the delegation of domains discovered by BIND 9 when trying to authoritative answers.
If the volume of these messages is high many users elect to send them to the null channel
e.g. category lame-servers {null;};
rate-limit
unmatched
No matching view clause or unrecognized class value. (default: null )
...........
Default Setting:
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};設定 Example:
options {
.............
}
logging {
channel my_default_log {
print-time yes;
print-category yes;
file "data/named.log" versions 4 size 256m;
severity info;
};
channel my_security_log {
print-time yes;
file "data/security.log" versions 4 size 128m;
severity info;
};
/* category */
category default{ my_default_log; };
category security{ my_security_log;};
category lame-servers {null;};
category queries{null;};
};P.S.
BIND uses syslogd before a valid logging clause is available
( named.conf parse errors => /var/log/messages )
Debug Log
channel default_debug {
file "data/debug.log" versions 4 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
category default { default_debug; };rndc flush; > debug.log; rndc trace 9; dig datahunter.org; rndc notrace
rndc flush; dig datahunter.org
Recursion
只為 Local Lan 做 resolver
options {
recursion yes;
allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};Other Setting
recursive-clients <integer>; # The default is 1000
This sets the maximum number (a “hard quota”) of simultaneous recursive lookups the server performs on behalf of clients.
each recursing client uses a fair bit of memory (on the order of 20 kilobytes)
“soft quota” 90% of recursive-clients
When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request is dropped.
max-recursion-depth <integer>; # The default is 7.
If the number of recursions exceeds this value, the recursive query is terminated and returns SERVFAIL.
max-recursion-queries <integer>; # The default is 100.
This sets the maximum number of iterative queries that may be sent while servicing a recursive query.
resolver-query-timeout <integer>; # 10000 (Default) ~ 30000, Unit: milliseconds
The resolver spends attempting to resolve a recursive query before failing.
Zone
以下設定將 每個 zone 的 設定放在 "/etc/named/named.zones" 裡
在 /etc/named.conf 內加入
include "/etc/named/named.zones";
# 每個 zone 的設定
/etc/named.zones 的內容:
zone "xxx.net" IN { type master; file "zones/db.xxx.net"; allow-update { none; };};# zone 的 records ( NS, MX, A, CNAME ... )
/var/named/zones/db.xxx.net
被攻擊的 DNS 可能
- Open DNS: is a DNS that will accept recursive queries from external locations.
- Closed DNS: is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.
- DoS attacks: by sending random domain queries
- DoS amplification attacks: by sending domain specific queries the bad guys can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site.
- Cache Poisoning: by sending specific queries the bad guys can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.
DoS amplification attacks
Feb 5 19:01:27 ns1 named[4819]: error (network unreachable) resolving 'ox.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53 Feb 5 19:01:28 ns1 named[4819]: error (network unreachable) resolving 'wjilmp.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53 Feb 5 19:01:28 ns1 named[4819]: error (network unreachable) resolving 'oncbofuxchwt.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53 Feb 5 19:01:28 ns1 named[4819]: error (network unreachable) resolving 'chwxol.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53 Feb 5 19:01:28 ns1 named[4819]: error (network unreachable) resolving 'ybytcngbenqt.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53 Feb 5 19:01:28 ns1 named[4819]: error (network unreachable) resolving 'wz.www.167uc.com/A/IN': 2400:cb00:2049:1::adf5:3b93#53
解決:
解方法一共有兩個
1. 用 iptable 去限制 responses
2. 用 "credit" or "token bucket" 去限制 UDP responses (TCP 可以照用)
(Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged)
(Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.)
<1:>
iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name dnslimit --rsource iptables -A INPUT -p udp -m udp --dport 53 -m recent --name dnslimit --update --seconds 60 --hitcount 11 -j DROP
<2:>
options {
......
rate-limit {
responses-per-second 5; # 0: no limits
# nodata-per-second N;
# nxdomain-per-second N;
# all-per-second N; # simply counts all the responses sent to a particular client IP
window 5; # Defaykt: 15s
ipv4-prefix-length 24; # Default is 24
log-only no; # yes: For testing; Default is no
exempt-clients {address_match_list} ;
};
}
Over 了 limit 會有如下的 log
Server log:
limit responses to x.x.x.0/24 for hk.yahoo.com IN A (001208c4)
Client dig:
;; connection timed out; no servers could be reached
window
The window adds a longer-term dimension to rate limiting.
* Responses are tracked within a rolling window of time which defaults to 15 seconds
responses-per-second=5 AND window=5
=> no more that 25 ( 5 x 5 ) responses within any 5 second window period AND responses/second
* Rate limiting of individual requests is logged in the query-errors category.
* All responses to an address block are counted as if to a single client. (Default 24)
* max-table-size: The maximum size of the table used to track requests and rate limit responses
(Each entry in the table is between 40 and 80 bytes), The default is 20,000
* Use log-only yes to test rate limiting parameters without actually dropping any requests.
Record Format
@ IN NS Domain.
@ IN TXT "testing"
@ IN MX 10 mail
@ IN A IP
mail IN A IP
mail 300 IN A IP2
ftp IN CNAME another.domain.
Subdomain setting:
用了 $ORIGIN 後, 下文的 @ 及相對的 domain 將會不同
; sub-domain definitions
$ORIGIN sub.your.domain
@ IN A ?.?.?.?
@ IN MX 10 domain.
SOA(Start Of Authority)
作用: 給 Slave Server 在做備份這個 zone 時用到的一些參數
e.g.
# primary name server: ns0 <-- MNAME field
respond authoritatively for the domain
# admin e-mail: [email protected] <-- 建議是用 hostmaster 的
# zone is considered no longer authoritative: 7 天
# (slaves stop responding to queries for the zone)
# NX(negative caching time): the time a NAME ERROR = NXDOMAIN result may be cached by any resolver.
$TTL 2d ; ; SOA record 的 TTL, Default = 2 days @ IN SOA ns0.datahunter.org. root.datahunter.org. ( 20140101 ; Serial <-- 多數是日期來. 1800 ; Refresh <-- Slave 隔幾耐 check master Serial number 300 ; Retry <-- 當 refresh 時 contact 唔到 master, 那隔多少秒再試. 604800 ; Expire <-- 7 天 (slaves stop responding to queries for the zone when this time has expired ) 1800 ) ; NX <-- 最多是 3h (negative caching time - the time a NAME ERROR = NXDOMAIN)
Remark:
- only one SOA record allowed in a zone file
CNAME (Canonical name) <-- nickname
- CNAME RRs cannot have any other RRs with the same name, for example, a TXT !! [theoretically not permitted (RFC 1034 section 3.6.2)]
- CNAME 不能在 root domain [theoretically]
Record TTL
domain. 3600 IN TXT "string"
ACL
acl "trusted" {
127.0.0.1;
};
Blackhole
blackhole defines a address_match_list of hosts that the server will NOT respond to, or answer queries for.
blackhole { address_match_list };
Query
allow-query
allow-query { localhost; }; // defaults to allow-query {any;};
// i.e. allow-query {10.0/16;};
recursion no;If recursion no; present, defaults to allow-query-cache {none;};
If recursion yes; (default) then, if allow-recursion is NOT present,
=> defaults to allow-query-cache {localnets; localhost;};
options {
allow-recursion { trusted; };
};
acl "trusted" {
127.0.0.1;
};
recursive-clients 25;
Defines the number of simultaneous recursive lookups the server will perform on behalf of its clients.
allow-query-on
// defines the server interface(s) from which queries are accepted
Defaults: allow-query-on {any;};
allow-query-cache
* BIND 9.4 後才有的功能
This was done to limit the number of, possibly inadvertant, OPEN DNS resolvers.
設定:
allow-query-cache { address_match_list };
allow-query-cache { 10/8; };
Returned order
Defines that all equal records for all domains will be returned in random order.
rrset-order {order random;};- fixed - records are returned in the order they are defined in the zone file
- random - records are returned in a random order
- cyclic - records are returned in a round-robin fashion
Performance
minimal-responses yes ; <--- BIND default is no
(server will only add records to the authority and additional data sections when they are required)
Forwarder
forward ( only | first ); <-- "first"(default) if forwarders not answered will attempt to answer the query.
forwarders { 10.2.3.4; 192.168.2.5; };
allow-update - update by key
# DDNS
allow-update { address_match_list };
* hosts that are allowed to submit dynamic updates for master zones
* The default in BIND 9 is to disallow updates from all hosts
# 設定一條 update key
key "YOUR_KEYNAME" {
algorithm HMAC-MD5;
secret "YOUR_BASE64_KEY";
};
# disables DDNS explicitly
zone "YOUR_DOMAIN" in{
type master;
file "data/YOUR_DOMAIN";
allow-update {none;}; // no DDNS by default
....
};
// DDNS by key
zone "YOUR_DOMAIN" IN {
type master;
file "data/YOUR_DOMAIN";
allow-update {
key "YOUR_KEYNAME";
};
};
// DDNS this host only
zone "example.com" in{
....type master;
allow-update {10.0.1.2;};
....
};
key setting:
update-policy {
grant "USER-KEY" subdomain DOMAIN A;
// grant [key_name] <name> [hostname]
};
notify (DNS BIND Zone Transfers and Updates)
notify
# Applicable to both master zones (with 'type master;') and slave zones ('type slave;')(亦可以設定在 global 的 // all zones)
# "NOTIFY" messages are sent to the name servers defined in the NS records for the zone
# 'no': NOTIFY messages are not sent.
# 'yes'(default): when a zone is loaded or changed, NOTIFY messages are sent to the name servers defined in the NS records for the zone
# If set to 'explicit' NOTIFY is only sent to those IP(s) listed in an also-notify statement.
# The receiver of the NOTIFY message should query the zone SOA directly from the IP(s) defined in the zone's masters statement.
notify yes(default) | no | explicit;
options {
....
also-notify {10.1.0.15; 172.28.32.7;}; // for all zones
....
};
....
zone "example.com in{
....
// NS RRs and global also-notify
notify yes;
....
};!!! By default, after a slave has transferred a zone it will also send out NOTIFY messages to all the zone's NS RRs (except itself obviously).
This behavior can be inhibited by using a 'notify no;' statement in the slave's zone clause.
Dec 5 21:07:07 localhost named[1833]: zone x.x.x.x/IN: sending notifies (serial 117)
!!! NOTIFY does not indicate that the zone data has changed, but rather that the zone data may have changed.
The receiver of the NOTIFY message should query the zone SOA directly from the IP(s) defined in the zone's masters statement.
allow-notify
# Applies to slave zones only
# IP address(es) that are allowed to NOTIFY this server
# The default behaviour is to allow zone updates only from the masters IP(s).
allow-notify { address_match_list };
# allows notify from the defined IPs
allow-notify {192.168.0.15; 192.168.0.16; 10.0.0.1;};# allows no notifies
allow-notify {none;};
also-notify
# 在 master server 設定的
# sent a NOTIFY when the master zone file is reloaded
# servers that will be sent a NOTIFY when the master zone file is reloaded.
# By default BIND9 will send NOTIFY messages to all the target names (right-hand names) that appear in NS RRs for the zone
also-notify { ip_addr [port ip_port] ; [... ; ] };
總結
master: also-notify ->> slave: allow-notify
在收到 notity 時
Dec 5 21:22:51 localhost named[2586]: client 192.168.3.99#59915: received notify for zone 'mplogistics.com'
Dec 5 21:22:51 localhost named[2586]: zone your.domain/IN: Transfer started.
Dec 5 21:22:51 localhost named[2586]: transfer of 'your.domain/IN' from 192.168.3.99#53:
connected using 192.168.3.111#59563
Dec 5 21:22:51 localhost named[2586]: zone your.domain/IN: transferred serial 191
Dec 5 21:22:51 localhost named[2586]: transfer of 'your.domain/IN' from 192.168.3.99#53:
Transfer completed: 1 messages, 5 records, 225 bytes, 0.198 secs (1136 bytes/sec)
Dec 5 21:22:51 localhost named[2586]: zone your.domain/IN: sending notifies (serial 191)
slave zone
/etc/named.conf
... # Slave Zones 的設定放在另外一個設定檔 include "/etc/named/slavezones.conf";
/etc/named/slavezones.conf
zone "datahunter.org" IN {
type slave;
allow-transfer { none; };
allow-query { any; };
notify no;
masters { ip.address.of.master; };
file "slaves/datahunter.org.zone";
};* data folder = /var/named/data
* master => only with slave zones | defines one or more IP addresses | optional port
masters port 1127 {192.168.2.7; 10.2.3.15 key zt-key;};key-name field defines the key to be used to authenticate the zone transfers when using TSIG and references the name of a key clause;
a corresponding key clause with the same key-name must be present in the master server(s)
zone transfer log ( /var/log/messages )
# master: x.x.x.x
# slave: y.y.y.y (local ip)
Sep 5 16:51:27 ns2 named[11420]: zone datahunter.org/IN: Transfer started.
Sep 5 16:51:27 ns2 named[11420]: transfer of 'datahunter.org/IN' from x.x.x.x#53: connected using y.y.y.y#52562
Sep 5 16:51:27 ns2 named[11420]: zone datahunter.org/IN: transferred serial 2
Sep 5 16:51:27 ns2 named[11420]: transfer of 'datahunter.org/IN' from x.x.x.x#53: Transfer completed: 1 messages,
13 records, 332 bytes, 0.049 secs (6775 bytes/sec)
Compile bind9
Download:
[1] 到 http://www.isc.org/downloads/bind/ 找最新的下載檔
wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz -O bind-9-10-0b1-2.tar.gz
[2] Install Tools
yum groupinstall "Development tools"
yum install GeoIP GeoIP-devel <-- epel
GeoIP header
GeoIP Package
/etc/GeoIP.conf
/usr/bin/geoiplookup
/usr/bin/geoipupdate
/usr/share/GeoIP/GeoIP.dat
/usr/share/GeoIP/..........
GeoIP-devel
/usr/include/GeoIP.h
/usr/include/GeoIPCity.h
/usr/include/GeoIPUpdate.h
/usr/lib/libGeoIP.so
/usr/lib/libGeoIPUpdate.so
/usr/lib/pkgconfig/geoip.pc
[3] Compile
tar -zxf bind-9-10-0b1-2.tar.gz
cd bind-9.10.0-P2/
--with-geoip
--enable-threads # enable multithreading
./configure --enable-threads --with-geoip
............................
Configuration summary:
------------------------------------------------------------------------
Optional features enabled:
Multiprocessing support (--enable-threads)
GeoIP access control (--with-geoip)
GSS-API (--with-gssapi)
ECDSA algorithm support (--with-ecdsa)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
None設定
/etc/resolv.conf
nameserver 127.0.0.1
groupadd -g 20 named
useradd -u 20 -g named -s /bin/false named
geoip
# BIND 9.10 built-in
# load geoip
options {
# "geoip-directory" option
geoip-directory "/path/to/geoip/database";
};# geoip ACLs
acl "example" {
geoip country US;
geoip region CA;
geoip city "Redwood City";
};match-clients
# Any IP which matches will use the defined view clause
# for the source IP address, default to any
# match-clients { address_match_element; ... };
# match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };
view "example" {
match-clients { example; };
zone "xxx.xxx" {
type master;
file "locals/xxx.xxx.zone";
};
};
view "default" {
zone "xxx.xxx" {
type master;
file "nonlocals/xxx.xxx.zone";
};
};file 與 type
- file # Defines the file used by the zone in quoted string format
- type zone_type
zone_type:
- master
- slave
- in-view
-
hint: # The initial set of root-servers
# When the server starts up it uses the hints zone file to find a root name server and
# get the most recent list of root name servers. - redirect
- delegation-only
- forward # forwarding on a per-domain or per zone basis.
- stub: # similar to a slave zone except that it replicates only the NS records
- static-stub:
View 'split' DNS using views (internal | external)
view "internal-view" {
match-clients { internal; };
zone "." IN {
type hint;
file "db.cache";
};
zone "internal.nixcraft.com " IN {
type master;
file "zones/lan.master.nixcraft.com";
allow-transfer { key TRANSFER; };
};
};
view "external-view" {
match-clients { any; };
recursion no;
zone "nixcraft.com " IN {
type master;
file "zones/internet.master.nixcraft.com";
allow-transfer { key TRANSFER; };
};
};
dnssec
dnssec-enable
indicates that a secure DNS service is being used which may be one, or more, of TSIG (for securing zone transfers or DDNS updates), SIG(0) (for securing DDNS updates) or DNSSEC. Since BIND9.5 the default value is dnssec-enable yes;. This statement may be used in a view or global options clause.
dnssec-validation
indicates that a resolver (a caching or caching-only name server) will attempt to validate replies from DNSSEC enabled (signed) zones. To perform this task the server also needs either a valid trusted-keys clause (containing one or more trusted-anchors or a managed-keys clause. Since 9.5 the default value is dnssec-validation yes;. This statement may be used in a view or global options clause.
rndc
rndc - name server control utility
communicates with the name server over a TCP connection, sending commands authenticated with digital signatures
Port:
953/TCP
bind9 reload zone file:
rndc reload
Disable rndc
# These control channels are used by the rndc utility to send commands to and
# retrieve non-DNS results from a name server.
controls { };CLI Usage
rndc <options> <command> <command-options>
options
-s <server> — Specifies a server other than the default-server listed in /etc/rndc.conf.
/etc/rndc.conf
options {
default-server localhost;
default-key "<key-name>";
};-y <key-name> — Specifies a key other than the default-key option in the /etc/rndc.conf file.
-p <port-number> — Specifies a port number to use for the rndc connection other than port 953, the default.
commands
halt — Stops the named service immediately.
stop — Stops the server gracefully
應用: update zone records without restart named
reconfig - will load any new zones that you've added (and remove any that you no longer have defined),
but it won't detect any changes that you've made to zones that are already loaded.
reload - Reloads the zone files but keeps all other previously cached responses.
If changes only affected a specific zone, reload only that specific zone.
i.e.
rndc reload your.domain
注意
... general: error: zone your.domain/IN: zone serial (2024020204) unchanged.
zone may fail to transfer to slaves.應用: Toggle query logging
# toggle query logging.
# querylog [ on | off ]
rndc querylog
應用: zone transfer immediately
refresh — Refreshes the nameserver's database (On slave)
You want a slave name server to initiate a zone transfer immediately.
It will cause a zone transfer if the master name server has an equal or higher serial number for the zone
rndc refresh your.domain
retransfer - Force zone update (On slave)
# Retransfer a single zone without checking the serial number
rndc retransfer your.domain
notify(On master)
Resend NOTIFY messages for the zone.
rndc notify your.domain
Get status
status - print status
stats - Dumps the current named statistics to the "/var/named/named.stats" file.
i.e.
rndc status
boot time: Mon, 19 Feb 2024 07:30:10 GMT last configured: Mon, 19 Feb 2024 07:30:10 GMT configuration file: /etc/named.conf CPUs found: 2 CPUs found: 2 worker threads: 2 UDP listeners per interface: 1 number of zones: 113 (97 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/1900/2000 tcp clients: 2/150 TCP high-water: 2 server is up and running
/var/named/named.stats
+++ Statistics Dump +++ (1708328770)
++ Incoming Requests ++
7 QUERY
++ Incoming Queries ++
4 A
2 AAAA
1 ANY
++ Outgoing Rcodes ++
5 NOERROR
1 SERVFAIL
1 REFUSED
++ Outgoing Queries ++
[View: default]
137 A
32 NS
103 AAAA
26 DNSKEY
[View: _bind]
++ Name Server Statistics ++
7 IPv4 requests receivedDebug with log
Enable Log
# To view what the server is doing live, if you have rndc configured run
# where x is the debugging level you want to view
rndc trace x
Disable log
# notrace = Sets the server's debugging level to 0
rndc notrace
Flush cache
# All entries
rndc flush
# All entries for microsoft.com (supported from bind 9.3)
rndc flushname microsoft.com
Centos 的 rndc 設定
rndc-confgen > /etc/rndc.key
chown root:named rndc.key
chmod 640 rndc.key
rndc.key format
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
};
預設 keyname 是 rndc-key
named.conf
* 因為 /etc/named.conf 係 world-readable, 所以 key file 放在另一個 file
// rndc settings include "/etc/rndc.key"; controls { # default TCP port 953 of the loopback address inet 127.0.0.1 port 953 allow {127.0.0.1;} keys { <key-name>; }; };
Error
FORMERR
Dec 5 11:55:37 mail named[22289]: error (FORMERR) resolving 'ns-cmn1.qq.com/AAAA/IN': 183.61.47.15#53
When acting as a recursive resolver, BIND 9 follows the chain of
delegation from the root, contacting name servers identified for each
domain on the way.
In this case, one of those name servers returned a packet that BIND 9
did not like for some reason - a FORMat ERRor. The offending server is
marked as "lame" since it cannot answer queries for the domain in
question.
block-dns-ddos script
log
logging {
channel security_file {
file "data/security.log" versions 3 size 30m;
};
category queries {
security_file;
};
};iptables
-N Block53 -A INPUT -p udp --dport 53 -m state --state NEW -j Block53 -A INPUT -p tcp --dport 53 -m state --state NEW -j Block53 -A Block53 -j ACCEPT
lookup-domain.sh
#!/bin/bash grep $1 /var/named/data/security.log | cut -d' ' -f 2 | cut -d'#' -f 1 | sort | uniq >> /tmp/ip.tmp sort -u /tmp/ip.tmp > /tmp/ip.txt wc -l /tmp/ip.txt
block-dns-ddos.sh
#!/bin/bash
iptables -F Block53
while read ip
do
echo $ip
iptables -I Block53 -s $ip -j DROP
done < "/tmp/ip.txt"
echo "Done"
multiple ptr records same ip
It all comes down to unpredictable behavior since the RFC does not impose a limit or a way to handle these PTR records.
Most implementations will choose round-robin and you will not achieve your desired result
(perfect matching between many names to a single IP).
