User Tools

Site Tools


bdnog11:netsec:bind-authoritative

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
bdnog11:netsec:bind-authoritative [2020/01/11 16:28]
Muhammad Moinur Rahman created
bdnog11:netsec:bind-authoritative [2020/01/12 16:00] (current)
Muhammad Moinur Rahman
Line 11: Line 11:
   - Create a new working directory for your master server under ''/​etc/​bind''<​code>​mkdir -p /​etc/​bind/​master</​code>​   - Create a new working directory for your master server under ''/​etc/​bind''<​code>​mkdir -p /​etc/​bind/​master</​code>​
   - Create a zone file for your domain under `/​etc/​bind/​master` and add necessary resource records like NS record, A record, txt record, MX record that will determine which host is receiving mail for your domain. For example, if you have `groupXX.net` as your domain, you must create `db.groupXX.net`,​ with the following base contents (sample configuraiton for server01):​\\ <​code>​   - Create a zone file for your domain under `/​etc/​bind/​master` and add necessary resource records like NS record, A record, txt record, MX record that will determine which host is receiving mail for your domain. For example, if you have `groupXX.net` as your domain, you must create `db.groupXX.net`,​ with the following base contents (sample configuraiton for server01):​\\ <​code>​
- $TTL 1d +$TTL 1d 
- @ SOA ns.groupXX.net. email.groupXX.net. ​  (+@ SOA ns.groupXX.net. email.groupXX.net. ​  (
                  ​2016010101 ;​serial no.                  ​2016010101 ;​serial no.
                  ​30m ;​refresh                  ​30m ;​refresh
Line 18: Line 18:
                  ​1d ;​expire                  ​1d ;​expire
                  ​30m ;​negative cache ttl                   ​30m ;​negative cache ttl 
- +
-   +   
- IN NS   ​ns.groupXX.net. +@       IN NS      ns.groupXX.net.
-  +
- ns IN A 192.168.30.X +
- www IN A 192.168.30.X +
-  +
- mail01 IN A 192.168.1XX.200 +
- mail02 IN A 192.168.1XX.201+
  
- groupXX.net. MX 10 mail01.groupXX.net+ns IN A 192.168.30.X 
- groupXX.net. MX 20 mail02.groupXX.net. +www  IN A 192.168.30.X
-  +
- groupXX.net. IN TXT "​groupXX Authoritative DNS Server"</​code>​ +
-  - Modify the configuration file (''/​etc/​bind/​named.conf.default-zones''​)Please note that the primary zone is of "type master"​ while a secondary zone is of "type slave.” Specify your nameserver’s working directory.\\ <​code>​ +
- zone "​groupXX.net"​ { +
- type master; +
- file "​db.groupXX.net";​ +
- };</​code>​ +
- Most authoritative servers are also recursive/​caching servers for their own networks. If this is the case, also add the zones defined in the recursive `named.conf`. +
-  +
- zone "​."​ { +
- type hint; +
- file "​root.hints";​ +
- };+
  
- zone "​localhost"​ { +mail01 IN A 192.168.1XX.200 
- type master; +mail02 IN A 192.168.1XX.201
- file "db.localhost"​ ; +
- };+
  
- You can copy the `root.hints` & `db.localhost` from previous lab instruction.+groupXX.net. MX 10 mail01.groupXX.net. 
 +groupXX.net. MX 20 mail02.groupXX.net. 
 + 
 +groupXX.net. IN TXT "​groupXX Authoritative DNS Server"</​code>​ 
 +  - Modify ​the configuration file (''/​etc/​bind/​named.conf.local''​). Please note that the primary zone is of "type master"​ while a secondary zone is of "type slave.” Specify your nameserver’s working directory.\\ <​code>​ 
 +zone "​groupXX.net" { 
 + type master; 
 + file "/​etc/​bind/​master/​db.groupXX.net";​ 
 +};</​code>​
   - Reload bind configuration\\ <​code>​   - Reload bind configuration\\ <​code>​
-systemctl reload ​bind +systemctl reload ​named 
-systemctl status ​bind</​code>​ +systemctl status ​named</​code>​ 
-  - Once BIND is running, you can do some basic test using DNS tools like ''​dig''​\\ To test your name server to display the SOA  records for your domain. +  - Once BIND is running, you can do some basic test using DNS tools like ''​dig''​To test your name server to display the SOA  records for your domain. <​code>​dig @192.168.30.XX groupXX.net SOA</​code>​\\ To test your name server to display NS records ​\\ <​code>​dig @192.168.30.XX groupXX.net NS</​code> ​\\ To test your name server to display other resource records (A, MX, or TXT). You can also use the ''​-t'' ​option to set the query type.\\ <​code>​dig @192.168.30.XX ns.groupXX.net A</​code>​\\ <​code>​dig -t MX @192.168.30.XX groupXX.net</​code>​ 
- +  ​- ​Setup your server as the secondary server for your neighbour. Create a folder called slave. Your primary server’s zonefile will be copied to this folder.\\ <​code>​mkdir -p /etc/bind/slave 
- <​code>​dig @192.168.1XX.groupXX.net SOA</​code>​ +chown :bind /​etc/​bind/​slave 
- +chmod 775 /​etc/​bind/​slave</​code>​ 
- To test your name server to display NS records +  - In your ''​named.conf.local'' ​add the following (group98.net is the neighbour zone):\\<​code>​ 
- +zone "​groupYY.net"​ { 
- <​code>​dig @192.168.1XX.groupXX.net NS</​code>​ + type slave; 
-       + file "/etc/bind/​slave/​db.groupYY.net";​ 
- To test your name server to display other resource records (A, MX, or TXT). You can also use the -t option to set the query type. + masters { 192.168.30.YY;}; 
-  +};</​code>​ 
- dig @192.168.1XX.ns.groupXX.net A +  ​- ​Secure your zones by restricting who can get the zone file. You can test this by trying zone transfer from another nameserver in the lab.\\ <​code>​dig @localhost groupYY.net AXFR</​code>​\\ ​If successful, you will see all the resource records as an output. 
- dig -t MX @192.168.1XX.groupXX.net +  ​- ​Now, add the ''​allow-transfer'' ​line in your ''​named.conf.local'' ​for the zones where you are primary ​so that your zone block looks like following:\\ <​code>​ 
- +zone "​groupXX.net"​ { 
-7. Setup your server as the secondary server for your neighbour. ​  + type master; 
- (Optional) ​Create a folder called slave. Your primary server’s zonefile will be copied to this folder. ​ + file "/​etc/​bind/​master/​db.groupXX.net";​ 
-  + allow-transfer { 192.168.30.YY; }; 
- mkdir /var/named/slave +};</​code>​\\ ​Execute the same dig command again. If successful, the status in the dig output should say Transfer Failed. 
-  +  ​- ​You can make `groupYY.net` (the secondary/​slave server) as authorative server. For that add another NS record in the `db.groupXX.net` file:\\ <​code>​ 
- In your `named.conf`, add the following (group98.net is the neighbour zone):  +$TTL 1d 
-  +@ SOA ns.groupXX.net. email.groupXX.net. ​  (
- zone "​groupYY.net"​ { +
- type slave; +
- file "/var/named/​slave/​db.groupYY.net";​ +
- masters { 192.168.1YY.1; +
- }; +
- }; +
- +
-8. Secure your zones by restricting who can get the zone file.   +
-You can test this by trying zone transfer from another nameserver in the lab. +
- +
- dig @localhost groupYY.net AXFR +
- +
- If successful, you will see all the resource records as an output.  +
-  +
- Now, add the following ​line in your `named.conffor the zones where you are primary: +
-  +
- zone "​groupXX.net"​ { +
- type master; +
- file "​db.groupXX.net";​ +
- allow-transfer { 192.168.1YY.1 +
- }; +
- }; +
- +
- Execute the same dig command again. If successful, the status in the dig output should say Transfer Failed. +
-  +
-9. You can make `groupYY.net` (the secondary/​slave server) as authorative server. For that add another NS record in the `db.groupXX.net` file: +
-  +
- $TTL 1d +
- @ SOA ns.groupXX.net. email.groupXX.net. ​  (+
                  ​2016010101 ;​serial no.                  ​2016010101 ;​serial no.
                                    
  <​config sniff...........>​  <​config sniff...........>​
      
- IN NS   ​ns.groupXX.net. +@       IN NS   ​ns.groupXX.net. 
- IN NS   ​ns.groupYY.net.+@       IN NS   ​ns.groupYY.net.
   
- <​config sniff..........>​ + <​config sniff..........>​</code>
-  +
- The complete `named.conf` for an authoritative+recursive server is as follows: +
- +
- // named.conf +
- // global configuration +
-  +
- options { +
- directory "/​var/​named/​master";​ +
- }; +
- +
- // root-hints +
- zone "​."​ { +
- type hint; +
- file "​root.hints";​ +
- }; +
- +
- // recursive name server config +
- zone "​localhost"​ { +
- type master; +
- file "​db.localhost"​ ; +
- }; +
-  +
- // primary zones +
- zone "​groupXX.net"​ { +
- type master; +
- file "​db.groupXX.net";​ +
- }; +
-  +
- // secondary zones +
- zone "​groupYY.net"​ { +
- type slave; +
- file "/​var/​named/​slave/​db.groupYY.net";​ +
- masters { 192.168.1YY.1;​ +
- }; +
- }; +
- +
bdnog11/netsec/bind-authoritative.1578738497.txt.gz · Last modified: 2020/01/11 16:28 by Muhammad Moinur Rahman