Today, I will start to learn how to use the GoLang. I am not good at the programming languarge. With this chance, I I hope that I can read the GoLang with basic grammer.
In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.
At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)
# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
recursion no;
listen-on port 53 { 10.10.0.124; };
allow-transfer { none; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.
# apt-get install haveged
Now, I can generate. Please note that Key files should be located on the same directory of zone files.
# cd /var/cache/bind/zones
After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE db.g.crenet.com
All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.
Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below
listen-on port 53 { 10.10.0.204; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
5. Configure DS records with the registrar.
When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record.
# cat dsset-g.crenet.com.
g.crenet.com. IN DS 33324 7 1 CFE9B08DB55C9EF23AAE19979FB2A48467C1061E
g.crenet.com. IN DS 33324 7 2 1245F5EB80E7A2F6CE9A64A9C69A94EFBC800D60EA4065B96B7FF501 AB6816D2
To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.
How to configure DNS bind9 configuration in Ubuntu
Recently, I need to learn about DNS system. In fact, I have not considered about this system so far. To understand about this as the begineer. I will memorize how to configure simply.
1. Pre-requisite.
I have four servers with Ubuntu 16.04 in AWS. Each server has the Public IP address.
2. Installation of bind9 packages
In fact, I do not know anything at this time. I need some instructions. I will follow this instruction basically. At first I need to update hosts name.
# hostname ns1
# hostname ns2
# hostname ns3
And I will update repository and install the bind packages like below. I will repeate this step in each servers, ns2 and ns3 also.
# apt-get update
# sudo apt-get install bind9 bind9utils bind9-doc
Installation is completed. I can see the directory and files under /etc/binddirectory.
At first, I will edit "named.conf.options". In this file, I will add some options to work well as the DNS server. This configuration is not applied to only primary. I will edit all of servers.
In above, there is "acl" field. It is the represatative name for allow-recursion. "recursion yes" means enable the recurive query from other DNS servers which is defined in "allow-recursion". In this instrucion, It shows what the recursive query is.
In this instruction, it is more simple contexts comparing with "iterative request".
If I do not want to use this recursion, I can change to "recursion no;" In my case, my authoritative DNS servers will be end of step for Domain. So I will disable the recursion. "allow-transfer { 10.10.0.99; 10.10.0.39; };" means transfering zone file to listed DNS servers which are refered as slave servers.
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
# Slave DNS (AuthoritativeDNS) servers
options { directory "/var/cache/bind";
recursion no; listen-on port 53 { 10.10.0.72; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
After these configurations, I can check the configuration is correct or not.
# service bind9 restart
# # named-checkconf named.conf.options
If I do not get any answer or failed message, It works correct. In above, I defined "allow-transfer" like "allow-transfer { 10.10.0.99; 10.10.0.39; };". This parameter is the global value. Therefore, it is applied for all of zone files. It need to be limited sometimes. In the instruction, allow-transfer { none; }; is recommended.
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
# Slave DNS (AuthoritativeDNS) servers
options { directory "/var/cache/bind";
recursion no; listen-on port 53 { 10.10.0.72; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
I will define "allow-transfer" in "named.conf.local" individually in every zone difinition. I will edit the "named.conf.local". It looks like below.
# Master DNS (AuthoritativeDNS) server
zone "dizigo.shop" { type master; file "/etc/bind/zones/db.dizigo.shop"; allow-transfer { 10.10.0.99; 10.10.0.39; }; }; zone "10.10.in-addr.arpa" { type master; file "/etc/bind/zones/db.10.10"; allow-transfer { 10.10.0.99; 10.10.0.39; }; };
# Slave DNS (Authoritative DNS) servers
zone "dizigo.shop" { type slave; file "db.dizigo.shop"; masters { 10.10.0.72; }; }; zone "10.10.in-addr.arpa" { type slave; file "db.10.10"; masters { 10.10.0.72; }; };
In above, I defined "forward zone" and "reverse zone". (Please this does not mean zone file) I suppose the one of 10.10.0.0/16 ip addresses will be mapped with Domain. In this file, It show how many zone file are existed and the each properties. I wrote 2 types of configuration for master and slave. In this "master", I can define "allow-transfer { 10.10.0.99; 10.10.0.39; };" in each zone definition. (Even if I will explain later in this post) In "slave", I can define "masters" as the source.
I will locate the zone file under "/etc/bind/zones". If you do not have zone directory, I need to create before.
# mkdir -r /etc/bind/zones
After these configurations, I can check the configuration is correct or not.
# service bind9 restart
# named-checkconf named.conf.local
# named-checkconf
3. Createing the Forward and reverse zone files.
Under the "/etc/bind" directory, there is the sample file for these.
# Forward zone file sample
root@ns1:/etc/bind# cat /etc/bind/db.local $TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. @ IN A 127.0.0.1 @ IN AAAA ::1
# Reverse zone file sample
root@ns1:/etc/bind# cat /etc/bind/db.127 $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. 1.0.0 IN PTR localhost.
I will copy and edit this files for my zone file. This step is depends on your environments. It will be different from me
# cp db.local /etc/bind/zones/db.dizigo.shop
# cp db.127 /etc/bind/zones/db.10.10
Open the forward zone file and edit at first. It looks like below.
$TTL 60
@ IN SOA ns1.dizigo.shop admin.dizigo.shop. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
IN NS ns1.dizigo.shop.
IN NS ns2.dizigo.shop.
IN NS ns3.dizigo.shop.
; name servers - A records
ns1.dizigo.shop. IN A 10.10.0.72
ns2.dizigo.shop. IN A 10.10.0.99
ns3.dizigo.shop. IN A 10.10.0.39
; sample - A records
www.dizigo.shop. IN A 10.128.100.101
ftp.dizigo.shop. IN A 10.128.200.101
I edit the TTL time for caching. If there is the caching DNS server in front of these authoritative DNS servers, the Caching server does not ask again during this time. I will adjust for 60 seconds. Serail number is increased. Every time, I edit zone file, I have to increase this number. This number is used for the slave servers to determince download zone file or not. I added all of name servers in end of SOA field. For reverse zone file, it is similar with forward zone file. It looks like below.
$TTL 60 @ IN SOA ns1.dizigo.shop. admin.dizigo.shop. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
; name servers - NS records IN NS ns1.dizigo.shop. IN NS ns2.dizigo.shop. IN NS ns3.dizigo.shop.
; PTR Records 72.0 IN PTR ns1.dizigo.shop. 99.0 IN PTR ns2.dizigo.shop. 39.0 IN PTR ns3.dizigo.shop.
Most of values are same. Add all of name servers end of SOA field, then add PTR records. After all of these, I can check my configuration.
6. Create Caching DNS server without zone file (Only Forwarding caching DNS server)
Now, I create the Caching DNS server in front of Authoritative DNS servers. I will refere this instruction. Most of steps are similar with above. I have already written above.
In the instrucion, there is another term, "allow-query". This is same with "allow-recursion". So In my case I will use again in this post. I need to define "forwarders" which point to DNS server whiech handdle the recursive query. In my case, the authoritative DNS servers are listed in here.
At this time, I want to make this Caching server to work as forwarder (This server does not response against the query reqeust itself). So I will add "forward only;" option. Final thing I need to edit is dnssec. In fact, I do not know what this is exactly. Anyway, this part make the server and client more secure. So, the my configuration of "named.conf.opiton" look like below.
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
10.10.0.99;
10.10.0.72;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
After this configuration, I need to check the configuration with "named-checkconf" and restart bind
# named-checkconf
# service bind9 restart
7. Verfication of Caching server (Clean cached DB)
In this blog, there is the way to view cahce status.
# Run Command
# rndc dumpdb -cache
# Log messages (Error)
Sep 13 14:38:25 cache kernel: [195574.027929] audit: type=1400 audit(1568385505.800:83): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/named_dump.db" pid=25682 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112 Sep 13 14:38:25 cache named[25678]: received control channel command 'dumpdb -cache' Sep 13 14:38:25 cache named[25678]: could not open dump file 'named_dump.db': permission denied
This error happend due to permission of file location which is created by the command. Therefore, I need to re-define the path for the dump file in the configuration. Please read this instruction.
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
10.10.0.99;
10.10.0.72;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
"dump-file "/var/cache/bind/dumps/named_dump.db";" is added int the configuration. After then, check configuration and restart. (Please note that the file should be located under /var/cache/bind directory)
# Run Command
# rndc dumpdb -cache
# /var/cache/bind/dumps# ls named_dump.db
I can see the file created. I can also read this file. The result look like below
If I want to clean this db and caching. I can run like below. Flush and service restarted are necessary.
# rndc flush
# service bind9 restart
8. Create Caching DNS server with zone file (Delegating sub-domain)
Please note that I can not delegate other domain. I can only delegate sub-domain. For example, "some-name.origin-domain.com --> some-domain.com" is not possible. "some-name.origin-domain.com --> some-name.sub-domain.origin-domain.com" is only possible
Because of above, I use another name "ozigo.shop". (So far, I used "dizigo.shop")
I will follow this instruction. Caching DNS server can have zone file and handle the query directly. For this, I will do some of changes. First I will remove "forward only;" and "forwarders". Therefore "named.conf.option" is look like below
listen-on port 53 { 10.10.0.37; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
dnssec-enable yes;
dnssec-validation yes;
dump-file "/var/cache/bind/dumps/named_dump.db";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
And then, I need other configuration file and zone file, "named.conf.local" and "zone file included sub-domain"
# cat named.conf.local
zone "ozigo.shop" {
type master;
file "/etc/bind/zones/db.ozigo.shop";
};
I used "$ORIGIN" term to seperate zone between ozigo.shop and ns.ozigo.shop. The red text show how to delegate sub-domain reqursion. The request query for "ns.ozigo.shop" will be sent to "ns1.ns.ozigo.shop" which has 10.10.0.72 IP address. The authoritative DNS which has zone file will be like below.
root@cache:/var/cache/bind/zones# cat db.crenet.com $ORIGIN crenet.com. $TTL 10 @ IN SOA crenet.com. admin.crenet.com. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN NS ns1.crenet.com. ns1.crenet.com. IN A 10.10.0.204
; www.crenet.com. IN CNAME www.g.crenet.com.
$ORIGIN g.crenet.com. @ IN NS ns1.g.crenet.com. IN NS ns2.g.crenet.com. ns1.g.crenet.com. IN A 10.10.0.124 ns2.g.crenet.com. IN A 10.10.0.225
# cat zones/db.ns.ozigo.shop
$TTL 60
@ IN SOA ns1.ns.ozigo.shop. admin.ns.ozigo.shop. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
IN NS ns1.ns.ozigo.shop.
; name servers - A records
ns1.ns.ozigo.shop. IN A 10.10.0.72
; sample - A records
recursion.ns.ozigo.shop. IN A 200.200.200.200
My final goal is looking up "recursion.ozigo.shop". When I try to dig from remote client, the result should be like below.
