台灣大學計資中心 邵喻美 madeline@ccms.ntu.edu.tw DNS建置與維護 台灣大學計資中心 邵喻美 madeline@ccms.ntu.edu.tw 2018/9/20
Outline DNS概念 BIND介紹 實例解說
Part I DNS 概念
DNS概念 DNS簡介 DNS運作原理 DNS建置與規劃
Domian Name Service IP位址 vs. 主機名稱 應用程式與底層網路間的middleware 最基本的網路應用程式 user-friendly vs. router-friendly
DNS簡介 DNS的前身—hosts.txt—not scalable Hierarchical vs. Flat name space
DNS架構 大型分散式資料庫 主從式架構 結構類似於Unix檔案系統 複製與快取 名稱伺服器(domain name server) 解析程式(resolver) 結構類似於Unix檔案系統 Inverted tree
DNS運作原理 Domain Name Space Domain Name The inverted tree Internet Domain Name Space – gTLD (generic Top-Level Domain) Domain Name The path of an inverted tree : from leaf to root Fully Qualified Domain Name (FQDN)
com 商業組織,如IBM(ibm.com) edu 教育組織,如柏克萊大學(berkeley.edu) gov 政府單位,如NASA(nasa.gov)及國家科學基金會(nsf.gov) mil 軍事單位,如美國陸軍(army.mil)及海軍(navy.mil) net 網路組織,如NSFNET(nsf.net) org 非營利性組織,如美國國家公園(nationalpark.org) int 國際性組織,如NATO(nato.int)
coop 企業或公司(http://www.nic.coop) biz 商業用途(已於6/21/2001正式啟用, http://www.nic.biz) aero 航空運輸業(已於3/18/2002開始服務, www.nic.aero) museum 博物館(http://www.nic.museum) 所有使用者(已於6/21/2001正式啟用, www.nic.info) pro 專門職業(http://www.nic.pro) name 供個人名稱之用,如筆名(http://www.nic.name) Info
Domain A subtree in domain name space 包含所有領域名稱屬於該領域的主機 一個領域名稱可屬於多個領域
授權(Delegate) Zone 將domain劃分為sub-domain並將管理權責交給其他組織 Name server管理domain name space中某部分的完整資訊 以授權劃分範圍
名稱伺服器的種類 Primary server Secondary server Caching-only server 從檔案讀取zone data Authoritative for zones in charge Secondary server 從另一個負責該zone的name server取得zone data Caching-only server lookuping up data and caching them Not authoritative for any domains (except 0.0.127.in-addr.arpa) zone transfer
Name Resolution Name server除了回答負責區域內的資料外,也可在整個domain name space中找尋其他區域的資料 Recursive resolution Server必須提供查詢結果 Iterative resolution Server只提供已知的最佳答案
Reverse Query Mapping addresses to names Domain name space以domain name為index in-addr.arpa domain : 以address為node label
Caching機制 在name resolution過程中得知的zone authorization資訊會被cache下來 Negative caching Zone data的TTL
DNS建置與規劃 軟體架設平台 硬體配置 記憶體 網路卡 配合網路架構架設DNS 多台DNS供backup
Part II BIND介紹
BIND介紹 ISC BIND (Berkeley Internet Name Domain) BIND安裝 BIND設定 DNS Resource Records
BIND安裝 下載BIND 安裝BIND 從http://www.isc.org/products/BIND/下載 ISC Bind最新版是9.2.1(released on May 1, 2002),但BIND 8仍被廣泛使用(最新版是8.3.2, released on June 19, 2002) 支援中文的dns : http://cdns.twnic.net.tw 安裝BIND 從http://www.isc.org/products/BIND/下載 解壓縮 zcat bind-src.tar.gz | tar xf – Compile : ./configure make 啟動 /usr/sbin/named(通常設定檔預設位置是/etc/named.conf) 啟動時指定設定檔位置 /usr/sbin/named –c /somewhereelse/named.conf
BIND設定 設定檔 named.conf 定義負責區域(zone)及運作設定 設定行及註解 access control list categorized logging Options can applied to zones selectively 設定行及註解 設定行以分號結束 註解以#或//為行首
設定行選項 acl logging options zone 定義一個IP位址表列,用於存取控制及其他用途 指定name server將記錄何種資訊,以及儲存於何處 options 控制全面性的server設定選項,並設定其他控制行的預設值 zone 定義zone data
# A simple BIND 8 configuration logging { channel SEC_log { file “/var/log/dns-security.log” versions 3 size 10m; severity info; }; category security { SEC_log; }; category lame-servers { null; }; acl NTU-Campus { localhost; 140.112.0.0/16; } options { directory "/var/named"; allow-query { NTU-Campus; }; allow-recursion { NTU-Campus; }; // for BIND 9 allow-transfer { none; };
zone "ntu.edu.tw" in { type master; file "master/dns.ntu"; allow-query { any; }; allow-transfer { …; }; // 可能是其他secondary name server }; zone "cc.ntu.edu.tw” in { type slave; file "slave/dns.ntu.cc"; masters { 140.112.1.1; }; zone "." in { type hint; file "named.cache"; zone "0.0.127.in-addr.arpa" in { file "master/127.0.0";
DNS Resource Records SOA records Start Of Authority DNS資料檔中的第一筆資料,也是唯一一筆SOA record Example: ntu.edu.tw. IN SOA dns1.ntu.edu.tw. root.ccms.ntu.edu.tw. ( 2002070101 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day * 時間若無指定單位則以秒計,亦可指定M(分), H(時), D(日), W(週)等單位
NS records Name Server 設定zone的name server Example: ntu.edu.tw. IN NS dns1.ntu.edu.tw. ntu.edu.tw IN NS dns2.ntu.edu.tw.
A records CNAME records Address Alias host1.ntu.edu.tw. IN A 140.112.1.2 host2.ntu.edu.tw. IN A 140.112.1.3 host2.ntu.edu.tw. IN A 140.112.10.4 host5.ntu.edu.tw. IN CNAME host1.ntu.edu.tw.
PTR records Address-to-name mapping 每個address只能指向一個正式名稱 2.1.112.140.in-addr.arpa IN PTR host1.ntu.edu.tw. 3.1.112.140.in-addr.arpa IN PTR host2.ntu.edu.tw.
MX Records 用來控制email傳遞順序 MX record中包含domain name和priority Priority 較低者優先,若多筆MX records的priority相同,則隨機選擇 Example: example.com. IN MX 10 mail.example.com. IN MX 10 mail2.example.com. IN MX 20 mail.backup.org. mail.example.com. IN A 10.0.0.1 mail2.example.com. IN A 10.0.0.2
Loopback address 代表loopback network的反解檔案 Loopback network is 127.0.0, loopback host is 127.0.0.1 0.0.127.in-addr.arpa. IN SOA dns.ntu.edu.tw. root.ccms.ntu.edu.tw. ( 2001071701; serial 86400; refresh 3600; retry 870000; expire 127800 ) ; minimum 0.0.127.in-addr.arpa. IN NS dns.ntu.edu.tw. 1.0.0.127.in-addr.arpa. IN PTR localhost.
Root Cache Data The name server of root domain . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10 . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
Maintaining BIND Reload name server Updating db files kill –HUP <named-pid> Updating db files Increase SOA serial numbers Starting over with a new serial number synchronizing the serial number at zero clean up zone data on slave server, then restart Keeping root cache data current Check root cache file every month or two dig @a.root-servers.net . ns > db.cache
BIND logging channel categories 指定loggin資料存放處:syslog, file, or stderr message severity:critical, error, warning, notice, info, debug [level], dynamic categories 指定將log何種資料 每個category的資料可被送往一或多個channel
logging { channel my_syslog { syslog daemon; severity info; }; channel my_file { file “log.msgs”; severity dynamic; category default { null; }; category statistics { my_syslog; my_file; }; category queries { my_file; };
容易發生的錯誤 忘記增加serial number Update name server後忘記reload Slave server無法載入zone data 資料庫檔案中加入名稱,但忘記加上PTR record 設定檔或DNS資料庫檔案文法錯誤
DNS資料庫檔案中,名稱最後忘記加上句點 忘了放上cache data 網路連接中斷 遺漏子領域授權 錯誤的子領域授權
BIND進階設定 利用address match list和ACL控制存取權限 Zone Change Notify acl “NTU-Campus” { { 140.112.0.0/16; }; }; Zone Change Notify notify no also-notify DNS dynamic update allow-update
維護name server的安全性 更新BIND 版本並隨時修補漏洞 利用Access Control List設定存取權限 限制查詢 allow-query 避免未經授權的zone transfer allow-transfer 設定提供服務的程度 recursion yes/no allow-recursion -> available on bind 9 拒絕提供服務 blackhole
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 192.0.2.0/24; }; acl out-nets { 140.112.0.0/16; Options { …. allow-query { our-nets; }; allow-transfer { none; }; allow-recursion { our-nets; }; blackhole { bogusnets; }; ….. Zone “ntu.edu.tw” { type master; file “ntu.db”; allow-query { any; }; allow-transfer { 140.112.1.1; };
Troubleshooting name server 從log file找線索 例如:/var/adm/messages 利用nslookup或dig dig @name.server query-type domain.name dig @dns.ntu.edu.tw A www.ntu.edu.tw nslookup – iterative or non-iterative 查詢不同的資料型態 set q=xxx (xxx=A, PTR, NS) 透過其他name server 查詢 Server <name server> Zone transfer ls <domain> 檢視查詢和回應的封包 set debug
taurus% dig @dns.ntu.edu.tw A www.ntu.edu.tw ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46127 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.ntu.edu.tw. IN A ;; ANSWER SECTION: www.ntu.edu.tw. 86400 IN CNAME w3.cc.ntu.edu.tw. w3.cc.ntu.edu.tw. 259200 IN A 140.112.8.130 ;; AUTHORITY SECTION: cc.ntu.edu.tw. 259200 IN NS dns.ntu.edu.tw. cc.ntu.edu.tw. 259200 IN NS ntu3.ntu.edu.tw. ;; ADDITIONAL SECTION: dns.ntu.edu.tw. 86400 IN A 140.112.254.4 ntu3.ntu.edu.tw. 604800 IN A 140.112.2.2 ;; Query time: 29 msec ;; SERVER: 140.112.254.4#53(dns.ntu.edu.tw) ;; WHEN: Mon Jul 1 21:51:01 2002 ;; MSG SIZE rcvd: 137
Part III 實例講解
Example I Caching-only nameserver only authoritative for 0.0.127.in-addr.arpa domain Provides query answers for restricted domains
// 在acl中設定允許查詢的subnets acl “campusnets” { 192.168.4.0/24; 192.168.7.0/24; } options { directory “/etc/namedb”; // working directory pid-file “named.pid”; // put pid-file in working directory allow-query { “campusnets”; }; }; // root server hints zone “.” { type hint ; file ”root.hint” ; // Provides a reverse mapping for the loopback address 127.0.0.1 zone “0.0.127.in-addr.arpa” { type master; file “localhost.rev”; notify no;
Example II Authoritative-only nameserver Authoritative for “ntu.edu.tw” and “eng.ntu.edu.tw” domain Master server for ntu.edu.tw domain Slave server for eng.ntu.edu.tw
Options { Directory “/etc/namedb”; Pid-file “named.pid”; Allow-query { any; }; Recursion no; }; zone “.” { // Root server hints type hint ; file “root.hint”; zone “0.0.127.in-addr.arpa” { // Provide a reverse mapping for the loopback address 127.0.0.1 type master; file “localhost.rev”; notify no; zone “ntu.edu.tw” { // We are the master server for ntu.edu.tw domain type master ; file “ntu.edu.tw.db”; allow-transfer { // IP addresses of slave servers allowed to transfer ntu.edu.tw 192.168.4.14; 192.168.5.53; zone “eng.example.com” { // We are a slave server for eng.ntu.edu.tw domain type slave ; file “eng.ntu.edu.tw.bk”; masters { 192.168.4.12; }; // IP address of eng.ntu.edu.tw master server
Example III Class C以下DNS反解委任之劃分 一般DNS反解委任以一段class C為劃分範圍 適用於多單位共用一段class C IP,且各單位希望自行管理DNS
// in named.conf on dns.ntu.edu.tw zone “172.112.140.in-addr.arpa" { type master; file "dns.rev.172"; allow-update { none; }; allow-query { any; }; allow-transfer { none; }; }; // in named.conf on ntuns.ntu.edu.tw Zone “44.112.140.in-addr.arpa” { file “dns.rev.44”;
$ORIGIN 172.112.140.IN-ADDR.ARPA. @ IN SOA dns.ntu.edu.tw. root.dns.ntu.edu.tw. ( 2001091401 3H 30M 1W 1D ) IN NS dns.ntu.edu.tw. 29 IN PTR server-sw.cc.ntu.edu.tw. 30 IN PTR router172-30.cc.ntu.edu.tw. 33.172.112.140.in-addr.arpa. IN CNAME 33.32-63.172.112.140.in-addr.arpa. 34.172.112.140.in-addr.arpa. IN CNAME 34.32-63.172.112.10.in-addr.arpa. 35.172.112.140.in-addr.arpa. IN CNAME 35.32-63.172.112.140.in-addr.arpa. 36.172.112.140.in-addr.arpa. IN CNAME 36.32-63.172.112.140.in-addr.arpa. 37.172.112.140.in-addr.arpa. IN CNAME 37.32-63.172.112.140.in-addr.arpa. 38.172.112.140.in-addr.arpa. IN CNAME 38.32-63.172.112.140.in-addr.arpa. ……. 60.172.112.140.in-addr.arpa. IN CNAME 60.32-63.172.112.140.in-addr.arpa 61.172.112.140.in-addr.arpa. IN CNAME 61.32-63.172.112.140.in-addr.arpa 62.172.112.140.in-addr.arpa. IN CNAME 62.32-63.172.112.140.in-addr.arpa. 32-63.172.112.140.in-addr.arpa. IN NS ms3.cpatch.org. 32-63.172.112.140.in-addr.arpa. IN NS ns1.cpatch.org. 32-63.172.112.140.in-addr.arpa. IN NS router.cpatch.org.
// in dns.rev.44 $ORIGIN 44.112.140.in-addr.arpa. @ IN SOA ntuns.ntu.edu.tw. root.ntuns.ntu.edu.tw. ( 2002060501 10800 3600 604800 86400 ) IN NS ntuns.ntu.edu.tw. 1 IN CNAME 1.0-63.44.112.140.in-addr.arpa. 2 IN CNAME 2.0-63.44.112.140.in-addr.arpa. 3 IN CNAME 3.0-63.44.112.140.in-addr.arpa. 4 IN CNAME 4.0-63.44.112.140.in-addr.arpa. 5 IN CNAME 5.0-63.44.112.140.in-addr.arpa. 6 IN CNAME 6.0-63.44.112.140.in-addr.arpa. IN CNAME 7.0-63.44.112.140.in-addr.arpa. …… 61 IN CNAME 61.0-63.44.112.140.in-addr.arpa. 62 IN CNAME 62.0-63.44.112.140.in-addr.arpa. 63 IN CNAME 63.0-63.44.112.140.in-addr.arpa. 64 IN CNAME 64.64-127.44.112.140.in-addr.arpa. 65 IN CNAME 65.64-127.44.112.140.in-addr.arpa. ….. 125 IN CNAME 125.64-127.44.112.140.in-addr.arpa. 126 IN CNAME 126.64-127.44.112.140.in-addr.arpa. 127 IN CNAME 127.64-127.44.112.140.in-addr.arpa. 0-63.44.112.140.in-addr.arpa. IN NS w5.me.ntu.edu.tw. 64-127.44.112.140.in-addr.arpa. IN NS main.phys.ntu.edu.tw.
$ORIGIN 0-63.44.112.140.in-addr.arpa. @ 38400 IN SOA w5.me.ntu.edu.tw. chiao.w3.me.ntu.edu.tw. ( 20020101001 10800 3600 432000 38400 ) 7 38400 IN PTR Eileem.me.ntu.edu.tw. 9 38400 IN PTR JJLee-4.me.ntu.edu.tw. 10 38400 IN PTR JJLee-5.me.ntu.edu.tw. 12 38400 IN PTR TA5.me.ntu.edu.tw. 13 38400 IN PTR TA3.me.ntu.edu.tw. 16 38400 IN PTR r2.me.ntu.edu.tw. 17 38400 IN PTR r6.me.ntu.edu.tw. 20 38400 IN PTR TA4.me.ntu.edu.tw. 21 38400 IN PTR MAC.me.ntu.edu.tw. 26 38400 IN PTR r4.me.ntu.edu.tw. 28 38400 IN PTR TA1.me.ntu.edu.tw. 29 38400 IN PTR TA2.me.ntu.edu.tw. 42 38400 IN PTR Tin.me.ntu.edu.tw. 50 38400 IN PTR r9.me.ntu.edu.tw.
ntuns% nslookup Default Server: dns.ntu.edu.tw Address: 140.112.254.4 > set type=ns > 44.112.140.in-addr.arpa Server: dns.ntu.edu.tw Non-authoritative answer: 44.112.140.in-addr.arpa nameserver = ntuns.ntu.edu.tw Authoritative answers can be found from: ntuns.ntu.edu.tw internet address = 140.112.2.28 > 0-63.44.112.140.in-addr.arpa. 0-63.44.112.140.in-addr.arpa nameserver = w5.me.ntu.edu.tw w5.me.ntu.edu.tw internet address = 140.112.14.3
> set type=ptr > 140.112.44.9 Server: ntu3.ntu.edu.tw Address: 140.112.2.2 Non-authoritative answer: 9.44.112.140.in-addr.arpa canonical name = 9.0-63.44.112.140.in-addr.arpa 9.0-63.44.112.140.in-addr.arpa name = JJLee-4.me.ntu.edu.tw 0-63.44.112.140.in-addr.arpa nameserver = w5.me.ntu.edu.tw w5.me.ntu.edu.tw internet address = 140.112.14.3
[root@aquarius]2:46pm</var/named>nslookup Default Server: localhost Address: 127.0.0.1 > set type=ptr > 140.112.172.44 Server: localhost Non-authoritative answer: 44.172.112.140.in-addr.arpa canonical name = 44.32-63.172.112.140.in-addr.arpa 44.32-63.172.112.140.in-addr.arpa name = input.cpatch.org Authoritative answers can be found from: 32-63.172.112.140.in-addr.arpa nameserver = ms3.cpatch.org 32-63.172.112.140.in-addr.arpa nameserver = ns1.cpatch.org 32-63.172.112.140.in-addr.arpa nameserver = router.cpatch.org ms3.cpatch.org internet address = 140.112.172.50 ns1.cpatch.org internet address = 140.112.172.41
運作原理 當查詢140.112.172.44 (42.172.112.140.in-addr.arpa)時,會發現44.172.112.140.in-addr.arpa其實是44.32-63.172.112.140.in-addr.arpa的CNAME 從父系DNS中的設定得知,32-63.172.112.140.in-addr.arpa的NS為ms3.cpatch.org,便會到ms3.cpatch.org查詢,並得知該IP的hostname為input.cpatch.org