立 97 年度 SNMG 練 DNS & BIND enc1215@gmail.com
DNS BIND Resolver Named 理 Named 更 DNS DNS Reference 2
DNS DNS 料 domain ip DNS server DNS server 理 DNS server DNS DNS 狀. root name server 理 3
DNS 狀 DNS (2). com edu gov org net cc tw...... ptt com edu ncu 4
DNS (3) DNS 兩 (recursive query) (iterative query) DNS server cache 料 root name server 不 DNS server 5
DNS (4). cc.ncu.edu.tw? tw edu ncu. cc 6
DNS (5) DNS 7
DNS (6) DNS domain IP ip domain. top-level domain (TLD) TLD arpa inaddr ip6 8
DNS (7) DNS 類 SOA ( ) NS ( DNS server) MX ( mail mail server) A ( ) CNAME ( ) PTR ( ) TXT ( ) 9
BIND BIND Unix DNS 兩 client server client (resolver) 來 DNS server (named) 來 FreeBSD BIND 9 BIND 不 resolver-only caching-only master slave server resolver-only resolv.conf DNS server 行 named 10
Resolver 來 hosts dns hosts hostname ip hosts dns host.conf 11
nameserver 140.115.1.31 nameserver 140.115.19.42 domain cc.ncu.edu.tw Resolver (2) /etc/resolv.conf 例 search cc.ncu.edu.tw ncu.edu.tw DNS server IP domain 不 不 search domain 列 不 12
Named named 識 named.conf (named ) named.root ( root name server ) zone file ( 錄 料 ) rev zone file ( 錄 料 ) caching-only named.conf named.root 不 zone file 13
Named (2) named.conf DNS server named DNS named.conf DNS server options {} DNS root name server local zone file zone {} 14
Named (3) named.conf 例 options { directory "/etc/namedb ; pid-file "/var/run/named/pid"; // listen-on { 127.0.0.1 }; } named 錄 錄 named process id ip 不 ip zone "." { type hint; file "named.root"; }; root server 15
Named (4) DNS / zone ncu.tw" { type slave; file slave/ncutw.zone"; masters {140.115.189.112; }; }; domain ncu.tw slave dns server zone file domain master server zone 189.115.140.in-addr.arpa" { type master; file "master/189.rev"; }; ip 140.115.189.* 16
Named (5) zone file 例 $TTL 3h; $ORIGIN ncu.tw. @ IN SOA ns.ncu.tw. root.ns.ncu.tw. ( 2008062601; 1d; 12h; 1w; 3h); IN NS ns.ncu.tw. IN NS mail.ncu.tw. IN MX 10 mail.ns.ncu.tw. IN MX 20 ns.ncu.tw. ns.ncu.tw. IN A 140.115.189.112 cc IN CNAME ns.ncu.tw. mail IN A 140.115.189.105 不. domain mail.ncu.tw domain 不. 理 email domain mail server 17
TTL $TTL 3h; @ IN SOA ns.ncu.tw. root.ns.ncu.tw. ( 2008062601; Zone file 1d; 12h; 1w; 3h); Named (6) rev zone file 例 slave 更 slave 連 master retry slave 更 料 IN NS ns.ncu.tw. 112 IN PTR ns.ncu.tw. 105 IN PTR mail.ncu.tw. 18
Named (7) named-checkconf 來 named-checkzone zone file named-checkconf named-checkzone ncu.tw slave/ncutw.zone zone name zone file 19
理 Named BIND 9 bind rndc 來 理 DNS server rndc key id key 來 named rndc named.conf DNS server rndc 20
理 Named (2) key 來 DNS server dnssec-keygen -a hmac-md5 -b 128 -n HOST rndc-key cat Krndc-key.+157+44588.key 令 rndc-key. IN KEY 512 3 157 CAO2hpKTqQr9Wapy2Y0Rfw== key 21
理 Named (3) named.conf key rndc-key { key algorithm hmac-md5; secret CAO2hpKTqQr9Wapy2Y0Rfw=="; } controls { inet 140.115.189.105 port 953 allow { localhost; 140.115.189.112; }; keys { rndc-key; }; } 來 key id ip port 連 ip 22
rndc.conf 理 Named (4) key "rndc-key" { key algorithm hmac-md5; secret "CAO2hpKTqQr9Wapy2Y0Rfw== ; }; options { default-server 127.0.0.1; default-port 953; default-key rndc-key; }; key id DNS server ip port 23
理 Named (5) rndc 理 DNS server rndc reload 讀 zone file rndc reload ncu.tw rndc retransfer ncu.tw 讀 zone ncu.tw 不 serial ncu.tw rndc stop named rndc s 140.115.189.115 y rndc-key reload server key id 24
更 DNS Transaction Signature (TSIG) 來 master/slave dns server 更 料 料不 料來 zone file key 行 更 25
更 DNS (2) master dns server key snmgkey { algorithm hmac-md5; secret Ix8CB0np/zgbalAUA5hA3Q== ; }; zone ncu.tw" { type master; file "master/ncutw.zone"; allow-transfer { key snmgkey; }; allow-update { key snmgkey; }; }; key snmgkey 更 zone 26
更 DNS (3) slave dns server key snmgkey { algorithm hmac-md5; secret Ix8CB0np/zgbalAUA5hA3Q== ; }; server 140.115.189.112 { keys { snmgkey; }; }; zone ncu.tw" { type slave; file slave/ncutw.zone"; masters { 140.115.189.112; }; }; master server 連 key id 27
更 DNS (4) allow-update 更 更 zone file 錄.jnl.jnl zone file 料 來更 DNS rndc reload/restart.jnl 讀 來 rndc stop.jnl zone file 28
nsupdate y snmgkey:ix8cb0np/zgbalaua5ha3q== > server 140.115.189.112 dns server zone > zone ncu.tw > update delete haha.ncu.tw A 140.115.189.250 > update add lala.ncu.tw 300 A 140.115.189.251 > show Outgoing update query: 更 DNS (5) nsupdate 更 DNS 料 TTL ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;ncu.tw. IN SOA key id key 料 ;; UPDATE SECTION: haha.ncu.tw. 0 NONE A 140.115.189.250 lala.ncu.tw. 300 IN A 140.115.189.251 > send 更 serial 29
更 DNS (6) DNS AXFR IXFR 更 master/slave dns server IXFR 更 DNS AXFR DNS 量 BIND AXFR allow-transfer AXFR DNS 30
host 令 domain name host cc.ncu.edu.tw DNS host cc.ncu.edu.tw cc.ncu.edu.tw has address 140.115.17.213 cc.ncu.edu.tw mail is handled by 10 bear.cc.ncu.edu.tw. cc.ncu.edu.tw mail is handled by 10 hyena.cc.ncu.edu.tw. cc.ncu.edu.tw mail is handled by 10 penguin.cc.ncu.edu.tw. 31
nslookup DNS 裡 domain/ip 參數 nslookup 不 參數 行 nslookup nslookup cc.ncu.edu.tw DNS (2) nslookup cc.ncu.edu.tw Server: 140.115.1.31 Address: 140.115.1.31#53 DNS server Non-authoritative answer: Name: cc.ncu.edu.tw Address: 140.115.17.213 32
DNS (3) nslookup 更 DNS server 類 nslookup > server Default server: 140.115.1.31 Address: 140.115.1.31#53 > server 140.115.19.42 Default server: 140.115.19.42 Address: 140.115.19.42#53 > set type=ns > ncu.edu.tw Server: 140.115.1.31 Address: 140.115.1.31#53 ncu.edu.tw ncu.edu.tw ncu.edu.tw nameserver = sun1.ncu.edu.tw. nameserver = moevax.edu.tw. nameserver = rs540.ncu.edu.tw. nslookup DNS server 更 DNS server ns 錄 ncu.edu.tw 33
Reference 1. TCP/IP 路 理 [O REILLY] 2. DNS and BIND [O REILLY] 3. Pro DNS and BIND [apress] 4. http://www.isc.org/sw/bind/arm95/bv9a RM-all.html 5. http://turtle.ee.ncku.edu.tw/~tung/dns 6. http://dnslearning.twnic.net.tw/bind/toc.html 7. http://blog.yam.com/gavint/article/1240 875 34
Reference (2) 8. http://dnssecurity.twnic.net.tw/faq/lab_b/dnsseclabb.htm 9. http://www.suse.url.tw/sles10/lesson12. htm 10.http://www.caisong.com/read.php/504.h tm 11.http://forum.slime.com.tw/post1042268-4.html 35