Shulou(Shulou.com)06/02 Report--

Today, I would like to talk to you about the advance of Bind, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Or for the needs of the project, sort out the more advanced functions of Bind, including: DNS recursive iterative query, DNS subdomain authorization, DNS forwarding, DNS master-slave regional transmission, DNS data encryption, each content not only records its implementation principle, but also matched with my line-by-line code practice test and results.

All the tests are based on my original article: code on Bind service building and testing, so if you don't understand the following code, please take a look at my previous article.

DNS recursive iterative query

Why do you call DNS's query a recursive iterative query:

Recursion is because:

The client initiates a query request to my server, and the server returns if there is a result. If there is no result, it will send another request from the server at the next level until the user finds the IP or domain name that the user needs. This process can be called recursion.

Iterate because:

When the server requests to a higher level of server law, it does not end with a single request, first the root domain, then the second-level domain name, there are multiple requests and return actions, this process can be called iteration.

In my blog post on building and testing Bind, I described their process in more detail, so I won't write much here.

Parameters.

Since Bind has a complex query process, there will be a series of configuration items to control the process. The parameters described below are based on Bind's main configuration file, named.conf.

Recursion: {yes | no} whether recursive requests are allowed

Allow-recursion: {address_match_list | any | none} range of recursive requests allowed

Recursion-clients: {number (fill in numbers)} the number of recursive requests executed by the client

test

The contents of the named.conf configuration file are as follows:

Options {directory "/ var/named"; recursion yes;}; zone "." {type hint; file "named.ca";}; zone "liumapp.com" {type master; file "liumapp.com.zone";}; zone "cnametest.com" {type master; file "cnametest.com.zone";}; zone "32.29.115.in-addr.arpa" {type master File "115.29.32.zone";}

As you can see, I turn on recursive queries by default

The case where recursion is turned on

Query any domain name, such as "www.qqq.com"

It can be found that in order to find the IP address corresponding to www.qqq.com, Bind iterated up to the upper-level domain name server 7 times to find the final result.

Turn off recursion

Now we change the recursion of the configuration file to no, restart Bind and then query a new domain name, such as "www.qqqq.com" (www.qqq.com has been cached)

As you can see, we can't find the resolution record of the new domain name after turning off recursion.

DNS subdomain authorization

In the case of DNS iterative queries, NS records are often used, just as NS records are often used under DNS subdomain authorization.

Subdomain authorization:

For example, one of my servers, A, is responsible for the authoritative domain name resolution of liumapp.com, and it authorizes server B to resolve the liumapp.com subdomain name: child.liumapp.com, which is called subdomain authorization.

DNS iterative query uses subdomain authorization: through the root domain, to the secondary domain, and then iterate down the query.

test

My parent server IP is 115.29.32.62, its resolved domain name is www.liumapp.com, its child server IP is 106.14.212.41, and its resolved domain name is www.test.liumapp.com.

First of all, on the parent server, we need to authorize the child server, configure the liumapp.com.zone file, and add the following:

Test.liumapp.com. IN NS ns1.testns1.test IN A 106.14.212.41

The idea is to assign permissions to test.liumapp.com, a subdomain of liumapp.com, to ns1.test, and then specify that the IP of ns1.test is 106.14.212.41

Restart the parent server and go to the shell command panel of the child server

First, let's make a backup of named.conf, and then modify its contents to:

Options {directory "/ var/named";}; zone "test.liumapp.com" {type master; file "test.liumapp.com.zone";}

Then add a test.liumapp.com.zone file under the / var/named/ directory that reads:

$TTL 7200 @ IN SOA test.liumapp.com. Liumapp.com.gmail.com. (222H 15M 1W 1D) @ IN NS dns1.liumapp.com.dns1.liumapp.com. IN A 106.14.212.41www.test.liumapp.com. IN A 106.14.212.42

Next, restart Bind. Then we test it, first parsing the parent server:

Dig @ 115.29.32.62 www.test.liumapp.com

The result is:

Then we parse the sub-server:

Dig @ 106.14.212.41 www.test.liumapp.com

The result is:

DNS forwarding concept

Suppose there is a local area network, there are two DNS servers inside, named An and B, the local area network is open to the outside through the firewall, but only A can directly provide DNS parsing service to the outside, and B can only access the intranet in the local area network, then when the DNS parsing of B is needed, it is realized through A's forwarding forwarding.

Configuration

First of all, take a look at the configuration items for forwarding.

Forwarders: {address_list} indicates the list of forwarded servers

Forwarder only: indicates that it is only resolved by the destination server authority

Forwarder first: forward queries first

test

It is also the parent server 115.29.32.62 and the child server 106.14.212.41. We now use the parent server to be responsible for a domain of DNS as forwarding, and the child server to be responsible for the authoritative resolution of a domain.

Now let's configure the authoritative resolution of the sub-server:

First, go to the / var/named directory and create a new file, dnstest.com.zone (I don't own this domain name, but just write it casually for testing), and its content is as follows:

$TTL 7200 @ IN SOA dnstest.com. Liumapp.com.gmail.com. (222H 15M 1W 1D) @ IN NS dns.dnstest.com.dns.dnstest.com. IN A 106.14.212.41www.dnstest.com. IN A 6.6.6.6

Then modify the named.conf to add the following:

Zone "dnstest.com" {type master; file "dnstest.com.zone";}

Delete the original at the same time

Zone "test.liumapp.com" {type master; file "test.liumapp.com.zone";}

Restart Bind.

Then go to the shell operator panel of the parent server. Before we start, we should note that DNS forwarding of Bind is only supported above the Bind9 version, so before we start, let's use the command to check the Bind version:

Nslookup-q=txt-class=CHAOS version.bind

The result from my server is:

[root@iZ28vhwdq63Z ~] # nslookup-q=txt-class=CHAOS version.bind.Server: 10.202.72.116Address: 10.202.72.116#53version.bind text = "9.9.9-P3-RedHat-9.9.9-2.1.alios6"

Then modify the named.conf to add the following:

Zone "dnstest.com" {type forward; forwarders {106.14.212.41;};}

Next we use the dig command on the parent server:

Dig [@ 127.0.0.1] (https://my.oschina.net/u/567043) www.dnstest.com

Request to resolve www.dnstest.com domain name. The result is as follows:

At the same time, note that the normal use of forward requires recursive query recursion to open.

DNS master-slave regional transmission

A zone is the jurisdiction of the DNS server and is an administrative unit composed of a single zone in the DNS namespace or multiple closely adjacent subdomains with subordinate relationships. Therefore, DNS name servers manage namespaces through zones, not on a domain-by-domain basis, but the names of zones correspond to the domain names of the DNS namespaces they manage. In other words, a region corresponds to the resolution of a series of domain names.

DNS master-slave synchronization

Suppose we have two servers, dns master server Master and dns slave server slave, then the dns master-slave synchronization steps between them are as follows:

Master sends notify messages to slave

Slave to query the SOA records of the master server

Master sends SOA records to slave

Slave checks whether serial number has incremental updates according to SOA records.

If any, slave initiates an zone transfer request to master, then master returns the response result, and slave updates the record. If not, it means there is no need to update.

DNS master-slave configuration

Before starting the configuration, there are a few things to pay attention to:

Ensure that the firewall rules do not block the listening port of Bind. The default is 53.

Ensure that the named user has permission to manipulate the relevant directories (/ var/named)

Ensure that the clocks of the master and slave servers are consistent

After building, if you modify the configuration of the primary server domain, serial number must be incremented.

Server configuration

Master server

Zone "liumapp.com" {type master; notify yes; also-notify {106.14.212.41;}; file "liumapp.com.zone";}

The notify yes above means to enable the notify function. Also-notify {} contains the IP list of slave servers.

Slave server

Options {directory "/ var/named"; allow-query {any;}; recursion yes;}; zone "liumapp.com" {type slave; file "slaves/liumapp.com.zone"; masters {115.29.32.62;};}

The file above indicates the address where the information is stored synchronously from the main server. Here, it is stored in / var/named/slaves/liumapp.com.zone.

I use dns server with IP of 115.29.32.62 as my dns server with master,IP of 106.14.212.41 as my slave.

First of all, we configure the master and slave servers according to the above two pieces of code.

Then restart the Bind of the two servers, and after restarting, you should be able to find a liumapp.com.zone file under / var/named/slaves/ of the slave server, and its content should be the same as the / var/named/liumapp.com.zone of the master server.

So, at this time, we don't care about using orders.

Dig @ 115.29.32.62 www.liumapp.com

Request the parsing of www.liumapp.com from the master server or

Dig @ 106.14.212.41 www.liumapp.com

Request the parsing of the www.liumapp.com from the server, and the result is the same in the end.

test

Now that we have gone through the above configuration, let's test the synchronization between the master and slave servers.

On the / var/named/liumapp.com.zone file of the Master server, we add a parsing record:

Liumei.liumapp.com. IN A 8.8.5.6

Then add its serial number, that is:

Liumapp.com. IN SOA liumapp.com. Liumapp.com.gmail.com8 (225 1H 15M 1W 1D)

The penultimate number "225" in this record, we can change it to 226.

After restarting the server, type the command:

Dig @ 106.14.212.41 liumei.liumapp.com

The record that can be successfully resolved to liumei.liumapp.com on the sub-server is 8.8.5.6.

DNS area transfer limit

First, we use a command on a local computer:

Dig @ 115.29.32.62 axfr liumapp.com

No surprise, you should be able to get all the parsing records of liumapp.com on the DNS server 115.29.32.62.

But from a security perspective, I certainly don't want this to happen, so I have to use transmission restrictions.

Method

Host-based access control

Access is restricted through the host IP.

Allow-transfer: {address_list | none}, list of machines allowed for domain transfer

Transaction signature

The data is encrypted by a key. I will do the transaction signature test in the later DNS data encryption.

test

We made the changes in the named.conf configuration file on the primary server:

Zone "liumapp.com" {type master; notify yes; also-notify {106.14.212.41;}; allow-transfer {106.14.212.41;}; file "liumapp.com.zone";}

After restarting Bind, go back to your local computer and continue using the command:

Dig @ 115.29.32.62 axfr liumapp.com

As a result, the request has been denied.

But data can be obtained through 106.14.212.41:

Dig @ 106.14.212.41 axfr liumapp.com

The results are as follows:

DNS data encryption method

DES symmetric encryption

Overview: file encryption and decryption use the same key, simple and fast.

Process: assume that sender An and receiver BMague An and B have the same key. Before sending plaintext to B, An encrypts plaintext into ciphertext through key and encryption algorithm, and then decrypts ciphertext into plaintext through key and decryption algorithm.

IDEA asymmetric encryption

Overview: keys include public keys and private keys, which are more secure than DES methods.

Process: suppose sender An and receiver BMague B have their own private key and public key, and A needs to obtain the public key of B. after obtaining, A first generates a session key, then the session key is encrypted by B's public key, encrypted and sent to BMague B to decrypt it with its own private key, so as to get the session key generated by A. After that, An encrypts the plaintext to be sent through its own session key, and sends it to BMagne B to decrypt the ciphertext through the session key obtained in advance.

DNS transaction signature

Transaction signatures can be implemented in two encryption ways, namely:

TSIG: symmetrical mode

SIGO: asymmetric mode

Now the more commonly used method is TSIG.

TSIG transaction signature

Parameters:

Allow-transfer: {key keyfile} (file location of key and key); key of transaction signature

test

First we go to the main server and then generate key:

Under the / usr/key directory of the primary server, pay attention to the read permissions given to the named user in the key directory

Enter the following command:

Dnssec-keygen-a HMAC-MD5-b 128-n HOST liumapp-key

-a: encryption algorithm

-b: encrypted digits

-n: you can choose ZONE or HOST

Liumapp-key: key name

The contents of the public key file and private key file I generated are as follows:

Then we copy the key in the private key, go to the / var/named/chroot/etc directory, and create a new liumapp-key file.

Its contents are as follows:

Key "liumapp-key" {Algorithm hmac-md5; secret "ghWgud4mhN11PKBIITgxbg==";}

The value of secret above is copied from the generated private key file.

Then write the named.conf file and add the following:

Include "/ var/named/chroot/etc/liumapp-key"

Note that this paragraph should be placed before zone "liumapp.com".

Then modify the configuration of zone "liumapp.com", and the final configuration result is as follows:

Include "/ var/named/chroot/etc/liumapp-key"; zone "liumapp.com" {type master; notify yes; also-notify {106.14.212.41;}; allow-transfer {key "liumapp-key";}; file "liumapp.com.zone";}

The value of the key of allow-transfer above is the value I named.

Then we restart Bind, and the next step is to configure the slave slave server, but before configuring, we need to copy our configuration file liumapp-key:

Use the command:

Scp liumapp-key root@106.14.212.41: `pwd`

The results are as follows:

Then configure it in the named.conf of the slave server. One is to include liumapp-key, and then configure key. The final result is as follows:

Options {directory "/ var/named"; allow-query {any;}; recursion yes;}; include "/ var/named/chroot/etc/liumapp-key"; server 115.29.32.62 {keys {"liumapp-key";}; zone "dnstest.com" {type master; file "dnstest.com.zone";}; zone "liumapp.com" {type slave; file "slaves/liumapp.com.zone"; masters {115.29.32.62;};}

Restart the Bind service of the slave server, and then we go back to the master server:

To add an A record under liumapp.com.zone, of course, you need to increment the serial number and I don't know how much it has been added. In short, the content of my ZONE is as follows:

$TTL 7200liumapp.com. IN SOA liumapp.com. Liumapp.com.gmail.com8 (226H 15m 1W 1D) liumapp.com. IN NS dns1.liumapp.com.dns1.liumapp.com. IN A 115.29.32.62www.liumapp.com. IN A 106.14.212.41liumei.liumapp.com. IN A 8.8.5.6heiheihei.liumapp.com. IN A 9.9.9.9 @ IN MX 10 mailmail IN A 115.29.32.63test.liumapp.com. IN NS ns1.testns1.test IN A 106.14.212.41

Then restart bind and use the command:

Tail-f / var/log/messages

The information you get is as follows:

As you can see, after I modified the liumapp.com.zone, the master server synchronized to the slave server immediately, and the communication between them used the TSIG transaction signature.

After reading the above, do you have any further understanding of the advance of Bind? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.