tachtler:dns_isc_bind_centos_7
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:dns_isc_bind_centos_7 [2018/09/02 07:51] – [Manuelle Zone-Datei Updates] klaus | tachtler:dns_isc_bind_centos_7 [2021/11/14 14:51] (aktuell) – alte Version wiederhergestellt (2019/10/29 05:48) klaus | ||
---|---|---|---|
Zeile 378: | Zeile 378: | ||
statistics-file "/ | statistics-file "/ | ||
memstatistics-file "/ | memstatistics-file "/ | ||
+ | recursing-file | ||
+ | secroots-file | ||
allow-query | allow-query | ||
Zeile 674: | Zeile 676: | ||
:!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!** | :!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!** | ||
- | ==== /etc/myrndc.key ==== | + | ==== /etc/rndc.key ==== |
nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter | nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter | ||
Zeile 691: | Zeile 693: | ||
</ | </ | ||
- | Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/ | + | Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/ |
< | < | ||
- | # rndc-confgen -a -b 512 -c /etc/myrndc.key -k rndc-key -r " | + | # rndc-confgen -a -b 512 -c /etc/rndc.key -k rndc-key -r " |
start typing: | start typing: | ||
............................... | ............................... | ||
Zeile 718: | Zeile 720: | ||
........................... | ........................... | ||
stop typing. | stop typing. | ||
- | wrote key file "/etc/myrndc.key" | + | wrote key file "/etc/rndc.key" |
</ | </ | ||
- | Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/ | + | Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/ |
<code ini> | <code ini> | ||
- | # cat /etc/myrndc.key | + | # cat /etc/rndc.key |
- | key "rndc-key" { | + | key "ns1.tachtler.net-key" { |
algorithm hmac-md5; | algorithm hmac-md5; | ||
secret " | secret " | ||
Zeile 732: | Zeile 734: | ||
Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann: | Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann: | ||
< | < | ||
- | # chown root:named /etc/myrndc.key | + | # chown root:named /etc/rndc.key |
</ | </ | ||
Ein Überprüfung, | Ein Überprüfung, | ||
< | < | ||
- | # ll /etc/myrndc.key | + | # ll /etc/rndc.key |
- | -rw-r----- 1 root named 153 Oct 17 13:06 /etc/myrndc.key | + | -rw-r----- 1 root named 153 Oct 17 13:06 /etc/rndc.key |
</ | </ | ||
Zeile 748: | Zeile 750: | ||
Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen: | Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen: | ||
<code ini> | <code ini> | ||
- | include "/etc/myrndc.key"; | + | include "/etc/rndc.key"; |
options { | options { | ||
- | default-key "rndc-key"; | + | default-key "ns1.tachtler.net-key"; |
default-server 127.0.0.1; | default-server 127.0.0.1; | ||
default-port 953; | default-port 953; | ||
Zeile 936: | Zeile 938: | ||
// ================================================================================ | // ================================================================================ | ||
acl primary { | acl primary { | ||
- | | + | 192.168.0.20/ |
}; | }; | ||
+ | // Without unbound as resolver in front of bind | ||
acl interfaces { | acl interfaces { | ||
- | | + | 192.168.0.20/ |
- | 192.168.1.20/ | + | 192.168.1.20/ |
}; | }; | ||
+ | |||
+ | // With unbound as resolver in front of bind | ||
+ | //acl interfaces { | ||
+ | // | ||
+ | //}; | ||
acl pdmz { | acl pdmz { | ||
- | | + | 88.217.171.167/ |
}; | }; | ||
acl edmz { | acl edmz { | ||
- | | + | 192.168.1.0/ |
}; | }; | ||
acl idmz { | acl idmz { | ||
- | | + | 192.168.0.0/ |
}; | }; | ||
acl home { | acl home { | ||
- | | + | 192.168.2.0/ |
}; | }; | ||
Zeile 963: | Zeile 971: | ||
// Keys. | // Keys. | ||
// ================================================================================ | // ================================================================================ | ||
- | include "/etc/myrndc.key"; | + | include "/etc/rndc.key"; |
// ================================================================================ | // ================================================================================ | ||
Zeile 970: | Zeile 978: | ||
controls { | controls { | ||
inet 127.0.0.1 port 953 | inet 127.0.0.1 port 953 | ||
- | allow { 127.0.0.1; } keys { "rndc-key"; }; | + | allow { 127.0.0.1; } keys { "ns1.tachtler.net-key"; }; |
}; | }; | ||
Zeile 978: | Zeile 986: | ||
logging { | logging { | ||
- | | + | // Channels. ------------------------------------------------------------- |
- | | + | // Default startup messages. |
channel default_debug { | channel default_debug { | ||
file " | file " | ||
severity dynamic; | severity dynamic; | ||
- | | + | print-category yes; |
- | print-severity yes; | + | print-severity yes; |
- | print-time yes; | + | print-time yes; |
}; | }; | ||
- | | + | // Approval and denial of requests. |
- | channel custom_security { | + | channel custom_security { |
- | file " | + | file " |
severity info; | severity info; | ||
- | | + | print-category yes; |
- | print-severity yes; | + | print-severity yes; |
- | print-time yes; | + | print-time yes; |
- | }; | + | }; |
- | // Lame servers. These are misconfigurations in remote servers, discovered | + | // Lame servers. These are misconfigurations in remote servers, discovered |
- | // by BIND 9 when trying to query those servers during resolution. | + | // by BIND 9 when trying to query those servers during resolution. |
- | channel custom_lame-servers { | + | channel custom_lame-servers { |
- | file " | + | file " |
severity info; | severity info; | ||
- | | + | print-category yes; |
- | print-severity yes; | + | print-severity yes; |
- | print-time yes; | + | print-time yes; |
- | }; | + | }; |
- | | + | // Categories. ----------------------------------------------------------- |
- | | + | category security { |
- | custom_security; | + | custom_security; |
- | default_syslog; | + | default_syslog; |
- | default_debug; | + | default_debug; |
- | }; | + | }; |
- | category lame-servers { | + | category lame-servers { |
- | custom_lame-servers ; | + | custom_lame-servers ; |
- | default_syslog; | + | default_syslog; |
- | default_debug; | + | default_debug; |
- | }; | + | }; |
}; | }; | ||
Zeile 1024: | Zeile 1032: | ||
// ================================================================================ | // ================================================================================ | ||
options { | options { | ||
- | | + | // The working directory of the server. |
- | directory "/ | + | directory "/ |
- | // The directory where the public and private DNSSEC key files should be | + | // The directory where the public and private DNSSEC key files should be |
- | // found. | + | // found. |
- | key-directory "/ | + | key-directory "/ |
- | // The directory which to store the files that track managed DNSSEC keys. | + | // The directory which to store the files that track managed DNSSEC keys. |
- | managed-keys-directory "/ | + | managed-keys-directory "/ |
- | // The pathname of the file the server dumps the database to when | + | // The pathname of the file the server dumps the database to when |
- | // instructed. | + | // instructed. |
- | dump-file "/ | + | dump-file "/ |
- | // The pathname of the file the server writes memory usage statistics to | + | // The pathname of the file the server writes memory usage statistics to |
- | // on exit. | + | // on exit. |
- | memstatistics-file "/ | + | memstatistics-file "/ |
- | // The pathname of the file the server writes its process ID in. | + | // The pathname of the file the server writes its process ID in. |
- | pid-file "/ | + | pid-file "/ |
- | // The pathname of the file the server dumps the queries that are currently | + | // The pathname of the file the server dumps the queries that are currently |
- | // recursing when instructed | + | // recursing when instructed. |
- | recursing-file "/ | + | recursing-file "/ |
- | // The pathname of the file the server | + | // The pathname of the file the server |
- | // instructed. | + | // instructed |
- | statistics-file "/ | + | statistics-file "/ |
- | // The pathname of a file to override the built-in trusted keys provided | + | // The pathname of a file to override the built-in trusted keys provided |
- | // by named. Path to ISC DLV key. | + | // by named. Path to ISC DLV key. |
- | bindkeys-file "/ | + | bindkeys-file "/ |
- | // The pathname of the file the server dumps security roots to when | + | // The pathname of the file the server dumps security roots to when |
- | // instructed. | + | // instructed. |
- | secroots-file "/ | + | secroots-file "/ |
- | // The pathname of the file into which to write a TSIG session key | + | // The pathname of the file into which to write a TSIG session key |
- | // generated by named for use by nsupdate -l. | + | // generated by named for use by nsupdate -l. |
- | session-keyfile "/ | + | session-keyfile "/ |
- | | + | // ------------------------------------------------------------------------ |
- | // Boolean options. | + | // Boolean options. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // If yes, then when generating responses the server will only add records |
- | // to the authority and additional data sections when they are required. | + | // to the authority and additional data sections when they are required. |
- | minimal-responses no; | + | // Tachtler - default: minimal-responses no; |
- | // If yes, and a DNS query requests recursion, then the server will attempt | + | minimal-responses no; |
- | // to do all the work required to answer the query. If recursion is off and | + | // If yes, and a DNS query requests recursion, then the server will attempt |
- | // the server does not already know the answer, it will return a referral | + | // to do all the work required to answer the query. If recursion is off and |
- | // response. The default is yes. Note that setting recursion no does not | + | // the server does not already know the answer, it will return a referral |
- | // prevent clients from getting data from the serverâs | + | // response. The default is yes. Note that setting recursion no does not |
- | // prevents new data from being cached as an effect of client queries. | + | // prevent clients from getting data from the server’s |
- | /* | + | // prevents new data from being cached as an effect of client queries. |
- | | + | /* |
- | | + | - If your recursive DNS server has a public IP address, you MUST enable |
- | | + | access control to limit queries to your legitimate users. Failing to do |
- | | + | so will cause your server to become part of large scale DNS |
- | | + | amplification attacks. Implementing BCP38 within your network would |
- | */ | + | greatly reduce such attack surface . |
- | // IMPORTANT: Use of access control: allow-recursion is required! | + | */ |
- | recursion yes; | + | // IMPORTANT: Use of access control: allow-recursion is required! |
+ | recursion yes; | ||
- | | + | // DNSSEC. --------------------------------------------------------------- |
- | | + | // Enable DNSSEC support in named. |
- | dnssec-enable yes; | + | dnssec-enable yes; |
- | // Enable DNSSEC validation in named and compare to root-certs (auto). | + | // Enable DNSSEC validation in named and compare to root-certs (auto). |
- | // yes: DNSSEC validation is enabled, but a trust anchor must be manually | + | // yes: DNSSEC validation is enabled, but a trust anchor must be manually |
// configured. No validation will actually take place until you have | // configured. No validation will actually take place until you have | ||
// manually configured at least one trusted key. This is the default. | // manually configured at least one trusted key. This is the default. | ||
Zeile 1090: | Zeile 1099: | ||
// auto: DNSSEC validation is enabled, and a default trust anchor | // auto: DNSSEC validation is enabled, and a default trust anchor | ||
// (included as part of BIND) for the DNS root zone is used. | // (included as part of BIND) for the DNS root zone is used. | ||
- | | + | // Tachtler - DISABLED - |
- | // When set, dnssec-lookaside provides the validator with an alternate | + | // dnssec-validation auto; |
- | // method to validate DNSKEY records at the top of a zone. | + | dnssec-validation yes; |
- | // If dnssec-lookaside is set to auto, then built-in default values for the | + | // When set, dnssec-lookaside provides the validator with an alternate |
- | // DLV domain and trust anchor will be used, along with a built-in key for | + | // method to validate DNSKEY records at the top of a zone. |
- | // validation. | + | // If dnssec-lookaside is set to auto, then built-in default values for the |
- | dnssec-lookaside auto; | + | // DLV domain and trust anchor will be used, along with a built-in key for |
+ | // validation. | ||
+ | // Tachtler - DEPRECATED - Service was shutdown. | ||
+ | //dnssec-lookaside auto; | ||
- | | + | // Checks. --------------------------------------------------------------- |
- | | + | // This option is used to restrict the character set and syntax of certain |
- | // domain names in master files and/or DNS responses received from the | + | // domain names in master files and/or DNS responses received from the |
- | // network. | + | // network. |
- | // Tachtler - Warn only, if names not correct, like DKIM for e-mail. | + | // Tachtler - Warn only, if names not correct, like DKIM for e-mail. |
- | check-names master warn; | + | check-names master warn; |
- | + | ||
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | // Forwarding. | + | // Forwarding. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
/* Tachtler - DISABLED - | /* Tachtler - DISABLED - | ||
Zeile 1118: | Zeile 1130: | ||
* forward first; | * forward first; | ||
* // DNS-Server which will asked when local answers not found. | * // DNS-Server which will asked when local answers not found. | ||
- | * forwarders { none; }; | + | * forwarders { 212.18.3.5; 212.18.0.5; }; |
*/ | */ | ||
- | | + | // ------------------------------------------------------------------------ |
- | // Dual-stack servers. | + | // Dual-stack servers. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Access control. | + | // Access control. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // Specifies which hosts are allowed to notify this server, a slave, of |
- | // zone changes in addition to the zone masters. | + | // zone changes in addition to the zone masters. |
- | allow-notify { 127.0.0.1; }; | + | allow-notify { 127.0.0.1; }; |
- | // Specifies which hosts are allowed to ask ordinary DNS questions. | + | // Specifies which hosts are allowed to ask ordinary DNS questions. |
- | allow-query { 127.0.0.1; edmz; idmz; home; }; | + | allow-query { 127.0.0.1; tdmz; edmz; idmz; home; }; |
- | // Specifies which hosts are allowed to make recursive queries through this | + | // Specifies which hosts are allowed to make recursive queries through this |
- | // server. | + | // server. |
- | allow-recursion { 127.0.0.1; edmz; idmz; home; }; | + | allow-recursion { 127.0.0.1; tdmz; edmz; idmz; home; }; |
- | // Specifies which hosts are allowed to receive zone transfers from the | + | // Specifies which hosts are allowed to receive zone transfers from the |
- | // server. | + | // server. |
- | allow-transfer { 127.0.0.1; primary; }; | + | allow-transfer { 127.0.0.1; primary; }; |
- | // Specifies a list of addresses that the server will not accept queries | + | // Specifies a list of addresses that the server will not accept queries |
- | // from or use to resolve a query. Queries from these addresses will not | + | // from or use to resolve a query. Queries from these addresses will not |
- | // be responded to. | + | // be responded to. |
- | blackhole { none; }; | + | blackhole { none; }; |
- | | + | // ------------------------------------------------------------------------ |
- | // Interfaces. | + | // Interfaces. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // The interfaces and ports that the server will answer queries from may |
- | // be specified using the listen-on option. | + | // be specified using the listen-on option. |
- | listen-on port 53 { 127.0.0.1; interfaces; }; | + | listen-on port 53 { 127.0.0.1; interfaces; }; |
- | | + | // ------------------------------------------------------------------------ |
- | // Query address. | + | // Query address. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // If the server |
- | // name servers. query-source specifies the address and port used for such | + | // name servers. query-source specifies the address and port used for such |
- | // queries. | + | // queries. |
- | /* | + | /* |
- | | + | * If there is a firewall between you and nameservers you want |
- | | + | * to talk to, you might need to use the query-source directive. |
- | */ | + | */ |
- | query-source address * port *; | + | query-source address * port *; |
- | | + | // ------------------------------------------------------------------------ |
- | // Zone transfer. | + | // Zone transfer. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // UDP port lists. | + | // UDP port lists. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // OS resource limits. | + | // OS resource limits. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // The maximum size of a core dump. |
- | coresize default; | + | coresize default; |
- | // The maximum amount of data memory the server may use. | + | // The maximum amount of data memory the server may use. |
- | datasize default; | + | datasize default; |
- | // The maximum number of files the server may have open concurrently. | + | // The maximum number of files the server may have open concurrently. |
- | files unlimited; | + | files unlimited; |
- | // The maximum amount of stack memory the server may use. | + | // The maximum amount of stack memory the server may use. |
- | stacksize default; | + | stacksize default; |
- | | + | // ------------------------------------------------------------------------ |
- | // Server resource limits. | + | // Server resource limits. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // Sets a maximum size for each journal file. |
- | // The default is unlimited, which also means 2 gigabytes. | + | // The default is unlimited, which also means 2 gigabytes. |
- | max-journal-size unlimited; | + | max-journal-size unlimited; |
- | // he maximum number of simultaneous recursive lookups the server will | + | // he maximum number of simultaneous recursive lookups the server will |
- | // perform on behalf of clients. The default is 1000. | + | // perform on behalf of clients. The default is 1000. |
- | recursive-clients 1000; | + | recursive-clients 1000; |
- | // The maximum number of simultaneous client TCP connections that the | + | // The maximum number of simultaneous client TCP connections that the |
- | // server will accept. The default is 100. | + | // server will accept. The default is 100. |
- | tcp-clients 100; | + | tcp-clients 100; |
- | // The maximum amount of memory to use for the serverâs | + | // The maximum amount of memory to use for the server’s |
- | // A value of 0 is special, meaning that records are purged from the cache | + | // A value of 0 is special, meaning that records are purged from the cache |
- | // only when their TTLs expire. Another special keyword unlimited means | + | // only when their TTLs expire. Another special keyword unlimited means |
- | // the maximum value of 32-bit unsigned integers (0xffffffff), | + | // the maximum value of 32-bit unsigned integers (0xffffffff), |
- | // not have the same effect as 0 on machines that support more than 32 bits | + | // not have the same effect as 0 on machines that support more than 32 bits |
- | // of memory space. Any positive values less than 2MB will be ignored reset | + | // of memory space. Any positive values less than 2MB will be ignored reset |
- | // to 2MB. In a server with multiple views, the limit applies separately to | + | // to 2MB. In a server with multiple views, the limit applies separately to |
- | // the cache of each view. The default is 0. | + | // the cache of each view. The default is 0. |
- | max-cache-size 0; | + | max-cache-size 0; |
- | // The listen queue depth. The default and minimum is 10. If the kernel | + | // The listen queue depth. The default and minimum is 10. If the kernel |
- | // supports the accept filter connections that will be queued in kernel | + | // supports the accept filter connections that will be queued in kernel |
- | // space waiting for some data before being passed to accept. Nonzero | + | // space waiting for some data before being passed to accept. Nonzero |
- | // values less than 10 will be silently raised. A value of 0 may also be | + | // values less than 10 will be silently raised. A value of 0 may also be |
- | // used; on most platforms this sets the listen queue length to a | + | // used; on most platforms this sets the listen queue length to a |
- | // system-defined default value. | + | // system-defined default value. |
- | tcp-listen-queue 10; | + | tcp-listen-queue 10; |
- | | + | // ------------------------------------------------------------------------ |
- | // Periodic task intervals. | + | // Periodic task intervals. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // The server will scan the network interface list every interface-interval |
- | // minutes. The default is 60 minutes. The maximum value is 28 days | + | // minutes. The default is 60 minutes. The maximum value is 28 days |
- | // (40320 minutes). If set to 0, interface scanning will only occur when | + | // (40320 minutes). If set to 0, interface scanning will only occur when |
- | // the configuration file is loaded. After the scan, the server will begin | + | // the configuration file is loaded. After the scan, the server will begin |
- | // listening for queries on any newly discovered interfaces (provided they | + | // listening for queries on any newly discovered interfaces (provided they |
- | // are allowed by the listen-on configuration), | + | // are allowed by the listen-on configuration), |
- | // interfaces that have gone away. | + | // interfaces that have gone away. |
- | // Tachtler - NOT default - | + | // Tachtler - NOT default - |
- | interface-interval 0; | + | interface-interval 0; |
- | | + | // ------------------------------------------------------------------------ |
- | // Topology. | + | // Topology. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // The sortlist statement. | + | // The sortlist statement. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // RRset ordering. | + | // RRset ordering. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Tuning. | + | // Tuning. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // Sets the number of seconds to cache a lame server indication. 0 disables |
- | // caching. (This is NOT recommended.) The default is 600 (10 minutes) and | + | // caching. (This is NOT recommended.) The default is 600 (10 minutes) and |
- | // the maximum value is 1800 (30 minutes). | + | // the maximum value is 1800 (30 minutes). |
- | lame-ttl 600; | + | lame-ttl 600; |
- | // To reduce network traffic and increase performance, | + | // To reduce network traffic and increase performance, |
- | // negative answers. max-ncache-ttl is used to set a maximum retention time | + | // negative answers. max-ncache-ttl is used to set a maximum retention time |
- | // for these answers in the server in seconds. The default max-ncache-ttl | + | // for these answers in the server in seconds. The default max-ncache-ttl |
- | // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will | + | // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will |
- | // be silently truncated to 7 days if set to a greater value. | + | // be silently truncated to 7 days if set to a greater value. |
- | max-ncache-ttl 10800; | + | max-ncache-ttl 10800; |
- | // Sets the maximum time for which the server will cache ordinary | + | // Sets the maximum time for which the server will cache ordinary |
- | // (positive) answers. The default is one week (7 days). A value of zero | + | // (positive) answers. The default is one week (7 days). A value of zero |
- | // may cause all queries to return SERVFAIL, because of lost caches of | + | // may cause all queries to return SERVFAIL, because of lost caches of |
- | // intermediate RRsets (such as NS and glue AAAA/A records) in the | + | // intermediate RRsets (such as NS and glue AAAA/A records) in the |
- | // resolution process. | + | // resolution process. |
- | max-cache-ttl 604800; | + | max-cache-ttl 604800; |
- | // Sets the advertised EDNS UDP buffer size in bytes to control the size of | + | // Sets the advertised EDNS UDP buffer size in bytes to control the size of |
- | // packets received. Valid values are 512 to 4096 (values outside this | + | // packets received. Valid values are 512 to 4096 (values outside this |
- | // range will be silently adjusted). The default value is 4096. The usual | + | // range will be silently adjusted). The default value is 4096. The usual |
- | // reason for setting edns-udp-size to a non-default value is to get UDP | + | // reason for setting edns-udp-size to a non-default value is to get UDP |
- | // answers to pass through broken firewalls that block fragmented packets | + | // answers to pass through broken firewalls that block fragmented packets |
- | // and/or block UDP packets that are greater than 512 bytes. | + | // and/or block UDP packets that are greater than 512 bytes. |
- | // named will fallback to using 512 bytes if it get a series of timeout at | + | // named will fallback to using 512 bytes if it get a series of timeout at |
- | // the initial value. 512 bytes is not being offered to encourage sites to | + | // the initial value. 512 bytes is not being offered to encourage sites to |
- | // fix their firewalls. Small EDNS UDP sizes will result in the excessive | + | // fix their firewalls. Small EDNS UDP sizes will result in the excessive |
- | // use of TCP. | + | // use of TCP. |
- | edns-udp-size 4096; | + | edns-udp-size 4096; |
- | // Sets the maximum EDNS UDP message size named will send in bytes. Valid | + | // Sets the maximum EDNS UDP message size named will send in bytes. Valid |
- | // values are 512 to 4096 (values outside this range will be silently | + | // values are 512 to 4096 (values outside this range will be silently |
- | // adjusted). The default value is 4096. The usual reason for setting | + | // adjusted). The default value is 4096. The usual reason for setting |
- | // max-udp-size to a non-default value is to get UDP answers to pass | + | // max-udp-size to a non-default value is to get UDP answers to pass |
- | // through broken firewalls that block fragmented packets and/or block UDP | + | // through broken firewalls that block fragmented packets and/or block UDP |
- | // packets that are greater than 512 bytes. This is independent of the | + | // packets that are greater than 512 bytes. This is independent of the |
- | // advertised receive buffer (edns-udp-size). | + | // advertised receive buffer (edns-udp-size). |
- | // Setting this to a low value will encourage additional TCP traffic to | + | // Setting this to a low value will encourage additional TCP traffic to |
- | // the nameserver. | + | // the nameserver. |
- | max-udp-size 4096; | + | max-udp-size 4096; |
- | // Set the initial value (minimum) number of recursive simultaneous | + | // Set the initial value (minimum) number of recursive simultaneous |
- | // clients for any given query (< | + | // clients for any given query (< |
- | // accept before dropping additional clients. named will attempt to self | + | // accept before dropping additional clients. named will attempt to self |
- | // tune this value and changes will be logged. The default values are 10. | + | // tune this value and changes will be logged. The default values are 10. |
- | clients-per-query 10; | + | clients-per-query 10; |
- | // Set the initial value (maximum) number of recursive simultaneous | + | // Set the initial value (maximum) number of recursive simultaneous |
- | // clients for any given query (< | + | // clients for any given query (< |
- | // accept before dropping additional clients. named will attempt to self | + | // accept before dropping additional clients. named will attempt to self |
- | // tune this value and changes will be logged. The default values are 100. | + | // tune this value and changes will be logged. The default values are 100. |
- | max-clients-per-query 100; | + | max-clients-per-query 100; |
- | | + | // ------------------------------------------------------------------------ |
- | // Build-in server information zones. | + | // Build-in server information zones. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // The version the server should report via a query of the name |
- | // version.bind with type TXT, class CHAOS. The default is the real version | + | // version.bind with type TXT, class CHAOS. The default is the real version |
- | // number of this server. Specifying version none disables processing of | + | // number of this server. Specifying version none disables processing of |
- | // the queries. | + | // the queries. |
- | version none; | + | version none; |
- | // The hostname the server should report via a query of the name | + | // The hostname the server should report via a query of the name |
- | // hostname.bind with type TXT, class CHAOS. This defaults to the hostname | + | // hostname.bind with type TXT, class CHAOS. This defaults to the hostname |
- | // of the machine hosting the name server as found by the gethostname() | + | // of the machine hosting the name server as found by the gethostname() |
- | // function. | + | // function. |
- | // Tachtler - NOT default - | + | // Tachtler - NOT default - |
- | // hostname " | + | // hostname " |
- | // The ID the server should report when receiving a Name Server Identifier | + | // The ID the server should report when receiving a Name Server Identifier |
- | // (NSID) query, or a query of the name ID.SERVER with type TXT, class | + | // (NSID) query, or a query of the name ID.SERVER with type TXT, class |
- | // CHAOS. The primary purpose of such queries is to identify which of a | + | // CHAOS. The primary purpose of such queries is to identify which of a |
- | // group of anycast servers is actually answering your queries. Specifying | + | // group of anycast servers is actually answering your queries. Specifying |
- | // server-id none; disables processing of the queries. Specifying server-id | + | // server-id none; disables processing of the queries. Specifying server-id |
- | // hostname; will cause named to use the hostname as found by the | + | // hostname; will cause named to use the hostname as found by the |
- | // gethostname() function. The default server-id is none. | + | // gethostname() function. The default server-id is none. |
- | server-id none; | + | server-id none; |
- | | + | // ------------------------------------------------------------------------ |
- | // Build-in empty zones. | + | // Build-in empty zones. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Additional section caching. | + | // Additional section caching. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Content filtering. | + | // Content filtering. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Response policy zone (RPZ) rewriting. | + | // Response policy zone (RPZ) rewriting. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
- | | + | // ------------------------------------------------------------------------ |
- | // Response rate limiting. | + | // Response rate limiting. |
- | // ------------------------------------------------------------------------ | + | // ------------------------------------------------------------------------ |
- | | + | // - empty - |
}; | }; | ||
Zeile 1371: | Zeile 1383: | ||
// | // | ||
view " | view " | ||
- | | + | // Match for the client IP address. |
- | match-clients { home; }; | + | match-clients { home; }; |
// IMPORTANT: A zone can be updated either by editing zone files and | // IMPORTANT: A zone can be updated either by editing zone files and | ||
- | | + | // reloading the server or by dynamic update, but not both. If you have |
- | // enabled dynamic update for a zone using the " | + | // enabled dynamic update for a zone using the " |
- | // are not supposed to edit the zone file by hand, and the server will not | + | // are not supposed to edit the zone file by hand, and the server will not |
- | // attempt to reload it. | + | // attempt to reload it. |
- | | + | // Zone: root server. ----------------------------------------------------- |
- | zone " | + | zone " |
- | type hint; | + | type hint; |
- | file " | + | file " |
- | }; | + | }; |
- | | + | // Zone: localhost. ------------------------------------------------------- |
- | include "/ | + | include "/ |
+ | include "/ | ||
- | | + | // Zone: home.tachtler.net ------------------------------------------------ |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
+ | |||
+ | // Zone: idmz.tachtler.net ------------------------------------------------ | ||
+ | zone " | ||
+ | inline-signing yes; | ||
+ | auto-dnssec maintain; | ||
+ | key-directory "/ | ||
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | inline-signing yes; | ||
+ | auto-dnssec maintain; | ||
+ | key-directory "/ | ||
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
+ | |||
+ | // Zone: tachtler.net (HOME) ---------------------------------------------- | ||
+ | zone " | ||
+ | inline-signing yes; | ||
+ | auto-dnssec maintain; | ||
+ | key-directory "/ | ||
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | // Zone: tachtler.net (HOME) ---------------------------------------------- | ||
- | zone " | ||
- | type master; | ||
- | file " | ||
- | }; | ||
}; | }; | ||
view " | view " | ||
- | | + | // Match for the client IP address. |
- | match-clients { localhost; idmz; }; | + | match-clients { localhost; idmz; key " |
// IMPORTANT: A zone can be updated either by editing zone files and | // IMPORTANT: A zone can be updated either by editing zone files and | ||
- | | + | // reloading the server or by dynamic update, but not both. If you have |
- | // enabled dynamic update for a zone using the " | + | // enabled dynamic update for a zone using the " |
- | // are not supposed to edit the zone file by hand, and the server will not | + | // are not supposed to edit the zone file by hand, and the server will not |
- | // attempt to reload it. | + | // attempt to reload it. |
- | | + | // Zone: root server. ----------------------------------------------------- |
- | zone " | + | zone " |
- | type hint; | + | type hint; |
- | file " | + | file " |
- | }; | + | }; |
- | | + | // Zone: localhost. ------------------------------------------------------- |
- | include "/ | + | include "/ |
+ | include "/ | ||
- | | + | // Zone: home.tachtler.net ------------------------------------------------ |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | // Zone: idmz.tachtler.net ------------------------------------------------ |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | // Zone: edmz.tachtler.net ------------------------------------------------ |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
+ | |||
+ | // Zone: tachtler.net (IDMZ) ---------------------------------------------- | ||
+ | zone " | ||
+ | inline-signing yes; | ||
+ | auto-dnssec maintain; | ||
+ | key-directory "/ | ||
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | // Zone: tachtler.net (IDMZ) ---------------------------------------------- | ||
- | zone " | ||
- | type master; | ||
- | file " | ||
- | }; | ||
}; | }; | ||
view " | view " | ||
- | | + | // Match for the client IP address. |
- | match-clients { edmz; }; | + | match-clients { edmz; key " |
// IMPORTANT: A zone can be updated either by editing zone files and | // IMPORTANT: A zone can be updated either by editing zone files and | ||
- | | + | // reloading the server or by dynamic update, but not both. If you have |
- | // enabled dynamic update for a zone using the " | + | // enabled dynamic update for a zone using the " |
- | // are not supposed to edit the zone file by hand, and the server will not | + | // are not supposed to edit the zone file by hand, and the server will not |
- | // attempt to reload it. | + | // attempt to reload it. |
- | | + | // Zone: root server. ----------------------------------------------------- |
- | zone " | + | zone " |
- | type hint; | + | type hint; |
- | file " | + | file " |
- | }; | + | }; |
- | | + | // Zone: localhost. ------------------------------------------------------- |
- | include "/ | + | include "/ |
+ | include "/ | ||
- | | + | // Zone: edmz.tachtler.net ------------------------------------------------ |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
+ | |||
+ | // Zone: tachtler.net (EDMZ) ---------------------------------------------- | ||
+ | zone " | ||
+ | inline-signing yes; | ||
+ | auto-dnssec maintain; | ||
+ | key-directory "/ | ||
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | // Zone: tachtler.net (EDMZ) ---------------------------------------------- | ||
- | zone " | ||
- | type master; | ||
- | file " | ||
- | }; | ||
}; | }; | ||
view " | view " | ||
- | | + | // Match for the client IP address. |
- | match-clients { any; }; | + | match-clients { any; key " |
- | | + | // If recursion is off and the server does not already know the answer, |
- | // it will return a referral response. | + | // it will return a referral response. |
- | recursion no; | + | recursion no; |
- | | + | // Specifies which hosts are allowed to make recursive queries through this |
- | // server. | + | // server. |
- | allow-recursion { none; }; | + | allow-recursion { none; }; |
// IMPORTANT: A zone can be updated either by editing zone files and | // IMPORTANT: A zone can be updated either by editing zone files and | ||
- | | + | // reloading the server or by dynamic update, but not both. If you have |
- | // enabled dynamic update for a zone using the " | + | // enabled dynamic update for a zone using the " |
- | // are not supposed to edit the zone file by hand, and the server will not | + | // are not supposed to edit the zone file by hand, and the server will not |
- | // attempt to reload it. | + | // attempt to reload it. |
- | | + | // Zone: root server. ----------------------------------------------------- |
- | zone " | + | zone " |
- | type hint; | + | type hint; |
- | file " | + | file " |
- | }; | + | }; |
- | | + | // Zone: localhost. ------------------------------------------------------- |
- | include "/ | + | include "/ |
+ | include "/ | ||
- | | + | // Zone: tachtler.net (PDMZ) ---------------------------------------------- |
- | zone " | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
- | | + | zone " |
- | type master; | + | inline-signing yes; |
- | file " | + | auto-dnssec maintain; |
- | }; | + | key-directory "/ |
+ | type master; | ||
+ | file " | ||
+ | // nsupdate | ||
+ | allow-update { key " | ||
+ | }; | ||
}; | }; | ||
Zeile 1545: | Zeile 1660: | ||
// Includes. | // Includes. | ||
// ================================================================================ | // ================================================================================ | ||
- | include "/ | ||
</ | </ | ||
Zeile 2218: | Zeile 2332: | ||
// DLV domain and trust anchor will be used, along with a built-in key for | // DLV domain and trust anchor will be used, along with a built-in key for | ||
// validation. | // validation. | ||
- | dnssec-lookaside auto; | + | |
+ | //dnssec-lookaside auto; | ||
... | ... | ||
</ | </ | ||
Zeile 2253: | Zeile 2368: | ||
// Zone: localhost. ------------------------------------------------------- | // Zone: localhost. ------------------------------------------------------- | ||
include "/ | include "/ | ||
+ | include "/ | ||
// Zone: tachtler.net (PDMZ) ---------------------------------------------- | // Zone: tachtler.net (PDMZ) ---------------------------------------------- | ||
Zeile 2406: | Zeile 2522: | ||
</ | </ | ||
- | ==== Manuelle Zone-Datei Updates ==== | + | ===== Manuelle Zone-Datei Updates |
Wenn sowohl DNSSec als auch dynamische Updates aktiviert sind, funktioniert das Aktualisieren von **Zonendaten/ | Wenn sowohl DNSSec als auch dynamische Updates aktiviert sind, funktioniert das Aktualisieren von **Zonendaten/ | ||
Zeile 2414: | Zeile 2530: | ||
und die Änderungen an den **Zonendaten/ | und die Änderungen an den **Zonendaten/ | ||
- | Um auf Dateiebene die **Zonendaten/ | + | Um auf Dateiebene die **Zonendaten/ |
< | < | ||
# rndc freeze intra.tachtler.net | # rndc freeze intra.tachtler.net | ||
Zeile 2466: | Zeile 2582: | ||
==== / | ==== / | ||
- | Für den Inhalt des jeweiligen Zonen-Schlüssels, | + | Der Inhalt der Datei sollte dann wie folgt **aussehen**: |
- | <code ini> | + | |
- | # cat / | + | |
- | Private-key-format: | + | |
- | Algorithm: 157 (HMAC_MD5) | + | |
- | Key: K3EaOD3IysiC/ | + | |
- | Bits: AAA= | + | |
- | Created: 20160217132139 | + | |
- | Publish: 20160217132139 | + | |
- | Activate: 20160217132139 | + | |
- | </ | + | |
- | + | ||
- | Der Inhalt der Datei sollte dann wie folgt **erweitert** werden: | + | |
<code ini> | <code ini> | ||
managed-keys { | managed-keys { | ||
Zeile 2484: | Zeile 2588: | ||
# Updates are published on root-dnssec-announce@icann.org | # Updates are published on root-dnssec-announce@icann.org | ||
. initial-key 257 3 8 " | . initial-key 257 3 8 " | ||
- | }; | ||
- | key " | ||
- | algorithm hmac-md5; | ||
- | secret " | ||
- | }; | ||
- | </ | ||
- | |||
- | Neu ist hier der Bereich: | ||
- | <code ini> | ||
- | key " | ||
- | algorithm hmac-md5; | ||
- | secret " | ||
}; | }; | ||
</ | </ | ||
Zeile 2523: | Zeile 2615: | ||
<code ini> | <code ini> | ||
allow-update { key " | allow-update { key " | ||
+ | </ | ||
+ | |||
+ | Für den Inhalt des jeweiligen Zonen-Schlüssels, | ||
+ | <code ini> | ||
+ | # cat / | ||
+ | Private-key-format: | ||
+ | Algorithm: 157 (HMAC_MD5) | ||
+ | Key: K3EaOD3IysiC/ | ||
+ | Bits: AAA= | ||
+ | Created: 20160217132139 | ||
+ | Publish: 20160217132139 | ||
+ | Activate: 20160217132139 | ||
+ | </ | ||
+ | |||
+ | Der Inhalt der Datei sollte dann wie folgt **erweitert** werden: | ||
+ | |||
+ | (**Nur relevanter Ausschnitt**) | ||
+ | <code ini> | ||
+ | ... | ||
+ | // ================================================================================ | ||
+ | // Includes. | ||
+ | // ================================================================================ | ||
+ | |||
+ | key " | ||
+ | algorithm hmac-md5; | ||
+ | secret " | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | Neu ist hier der Bereich: | ||
+ | <code ini> | ||
+ | key " | ||
+ | algorithm hmac-md5; | ||
+ | secret " | ||
+ | }; | ||
</ | </ | ||
Zeile 2679: | Zeile 2806: | ||
< | < | ||
# dig +bufsize=1200 +norec NS . @a.root-servers.net > / | # dig +bufsize=1200 +norec NS . @a.root-servers.net > / | ||
+ | </ | ||
+ | |||
+ | Komplette Zonendatei der **'' | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | < | ||
+ | # dig +bufsize=1200 +norec AXFR . @lax.xfr.dns.icann.org > / | ||
</ | </ | ||
Zeile 2698: | Zeile 2832: | ||
Debugging Befehl für ein Abfrage via '' | Debugging Befehl für ein Abfrage via '' | ||
< | < | ||
- | dig +trace +recurse +all +qr -t NS google.de | + | dig @127.0.0.1 |
</ | </ | ||
tachtler/dns_isc_bind_centos_7.txt · Zuletzt geändert: 2021/11/14 14:51 von klaus