bind9
Docs
Install
Without DHCP-Server
1 aptitude install bind9 dnsutils
With DHCP-Server
1 aptitude install autodns-dhcp
This is a lightweight package that pulls the following dependencies:
- bind9
- dnsutils
- isc-dhcp-server
- perl
The cronjob that comes with the package may be easily deactivated.
/etc/cron.d/autodns-dhcp
Configure
Info
1 rndc status
Create directories for journals and zones
Main configuration file
I decided to move acls, auth and logging configuration to their own files and include them in the main configuration file. They may be reused on other servers as well.
/etc/bind/named.conf
1 //
2 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
3 // structure of BIND configuration files in Debian, *BEFORE* you customize
4 // this configuration file.
5 //
6 // If you are just adding zones, please do that in /etc/bind/named.conf.local
7
8 include "/etc/bind/named.conf.logging";
9 include "/etc/bind/named.conf.options";
10 include "/etc/bind/named.conf.acls";
11 include "/etc/bind/named.conf.auth";
12 include "/etc/bind/named.conf.local";
13 //DEFAULT ZONES CANNOT BE INCLUDED HERE SINCE WE ARE USING VIEWS
14 // SEE: named.conf.local
15 //include "/etc/bind/named.conf.default-zones";
16
Logging
Default logging got extended by some info for debugging dynamic updates.
To use the path /var/log/bind you must extend the apparmor profile, otherwise leave it to /var/log/named.
Create the directory:
/etc/bind/named.conf.logging
1 logging {
2 channel null {
3 null;
4 };
5 channel update_debug {
6 file "/var/log/bind/update-debug.log" versions 10 size 10m;
7 severity debug 3;
8 print-category yes;
9 print-severity yes;
10 print-time yes;
11 };
12 channel security_info {
13 file "/var/log/bind/security.info" versions 10 size 10m;
14 severity info;
15 print-category yes;
16 print-severity yes;
17 print-time yes;
18 //stderr;
19 };
20 channel general_info {
21 file "/var/log/bind/general.info" versions 10 size 10m;
22 severity info;
23 print-category yes;
24 print-severity yes;
25 print-time yes;
26 //stderr;
27 };
28 channel general_warn {
29 severity warning;
30 syslog local7;
31 print-category yes;
32 print-severity yes;
33 print-time yes;
34 //stderr;
35 };
36
37 // BIND9 LOGGING CATEGORIES
38 //client cname config database default delegation-only dispatch dnssec dnstap
39 //edns-disabled general lame-servers network notify queries query-errors
40 //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
41 //update-security xfer-in xfer-out
42
43 category general { general_warn; };
44 category general { general_info; };
45 category rate-limit { security_info; };
46 category security { security_info; };
47 category update { update_debug; };
48 category update-security { security_info;
49 update_debug; };
50 category notify { update_debug; };
51 };
52
53 // vim: set syntax=named:
54
Adjust apparmor profile
In retrospective it may be easier to simply set a symlink than extending the apparmor config.
1 ln -s /var/log/named /var/log/bind
Extend apparmor profile /etc/apparmor.d/local/usr.sbin.named
This path must match the named apparmor-profile /etc/apparmor.d/{,local/}usr.sbin.named or bind will not start with the following error:
Jun 18 15:04:18 kvm2 named[6707]: isc_stdio_open '/var/log/bind/update-debug.log' failed: permission denied Jun 18 15:04:18 kvm2 named[6707]: configuring logging: permission denied Jun 18 15:04:18 kvm2 named[6707]: loading configuration: permission denied Jun 18 15:04:18 kvm2 named[6707]: exiting (due to fatal error)
1 install -o bind -g adm -m 750 -d /var/log/bind
Options
Some common options to all instances of bind9 around in the infrastructure.
- rate limit
- max-cache-size
- disable IPv6
/etc/bind/named.conf.options
1 options {
2 // attach-cache cache_name;
3 // version version_string;
4 // hostname hostname_string;
5 // server-id server_id_string;
6 directory "/var/cache/bind"; # path_name;
7 // key-directory "/var/lib/bind/keys"; # path_name;
8 // managed-keys-directory "/var/lib/bind/managed_keys"; # path_name;
9 // named-xfer "/var/cache/bind"; # path_name; // obsolete
10
11 // If there is a firewall between you and nameservers you want
12 // to talk to, you may need to fix the firewall to allow multiple
13 // ports to talk. See http://www.kb.cert.org/vuls/id/800113
14
15 // If your ISP provided one or more IP addresses for stable
16 // nameservers, you probably want to use them as forwarders.
17 // Uncomment the following block, and insert the addresses replacing
18 // the all-0's placeholder.
19
20 // forwarders {
21 // 0.0.0.0;
22 // };
23
24 //========================================================================
25 // If BIND logs error messages about the root key being expired,
26 // you will need to update your keys. See https://www.isc.org/bind-keys
27 //========================================================================
28 dnssec-validation auto;
29
30 auth-nxdomain no; # conform to RFC1035
31 dump-file "/var/cache/bind/named_dump.db";
32 listen-on { any; }; # Default "any;"
33 listen-on-v6 { none; }; # Default
34 allow-transfer { rockstable_dns; }; # { address_match_list };
35 empty-zones-enable yes ; # Default no
36 // empty-zones-enable no ; # Default no
37 // disable-empty-zone zone_name ;
38 allow-recursion { any; }; # Default with 9.4.1 { localhost; localnets; };
39 // allow-query { any; };
40 // allow-query-cache { any; };
41 rate-limit {
42 responses-per-second 100;
43 };
44 // listen-on-v6 { any; };
45 //PER VIEW - DEFAULT: 90%
46 max-cache-size 256m;
47 };
48
49 // vim: set syntax=named:
50
ACLs
Define ACLs for your networks and ip-interfaces. This will simplify your configuration and make it more readable.
/etc/bind/named.conf.acls
1 // ACCESS CONTROL LISTS
2
3 // ROCKSTABLE DNS-SERVERS
4
5 acl ns2.rockstable.org { kvm1_eth0; };
6 acl ns3.rockstable.org { kvm2_enp0s31f6; };
7 acl ns4.rockstable.org { ns4_eth0; };
8 // GROUP THEM TOGETHER
9 acl rockstable_dns {
10 ns2.rockstable.org;
11 ns3.rockstable.org;
12 ns4.rockstable.org;
13 };
14
15 // NETWORKS
16
17 acl rockstable { 176.9.178.16/29; };
18 acl pub1 { 178.63.149.224/28; };
19
20 // Exotic networks, client networks, …
21 // …
22
23 // INTERFACES
24 acl kvm1_eth0 { 176.9.99.233; };
25 acl kvm2_enp0s31f6 { 195.201.246.253; };
26 acl ns4_eth0 { 78.47.38.48; };
27
28 // Exotic clients, name-server interfaces in client networks, …
29 // …
30
31 // vim: set syntax=named:
32
Auth
This file contains the secrets for TSIG (Transaction SIGnature) authentication and deserves some protection.
Make sure this file has correct unix-permissions!
/etc/bind/named.conf.auth
1 // KEYS
2 key DNS_REPLICATOR_INTERNAL {
3 algorithm HMAC-SHA512;
4 secret "ENDLESS_LONG_SECRET_KEY_FOR_INTERNAL_VIEW";
5 };
6
7 key DNS_REPLICATOR_EXTERNAL {
8 algorithm HMAC-SHA512;
9 secret "ENDLESS_LONG_SECRET_KEY_FOR_EXTERNAL_VIEW";
10 };
11
12 // MASTERS
13 // INTERNAL
14 masters masters_rockstable_org_internal port 53 {
15 176.9.99.233 port 53 key DNS_REPLICATOR_INTERNAL;
16 };
17
18 masters masters_rockstable_it_internal port 53 {
19 195.201.246.253 port 53 key DNS_REPLICATOR_INTERNAL;
20 };
21
22 // EXTERNAL
23 masters masters_rockstable_org_external port 53 {
24 176.9.99.233 port 53 key DNS_REPLICATOR_EXTERNAL;
25 };
26
27 masters masters_rockstable_it_external port 53 {
28 195.201.246.253 port 53 key DNS_REPLICATOR_EXTERNAL;
29 };
30
31 // vim: set syntax=named:
32
Local
A slave-only setup authenticated using TSIG with only a view "external".
/etc/bind/named.conf.local
1 //
2 // Do any local configuration here
3 //
4
5 // Consider adding the 1918 zones here, if they are not used in your
6 // organization
7 //include "/etc/bind/zones.rfc1918";
8
9 // be authoritative for the rockstable.org forward and reverse zones, and for
10 // broadcast zones
11
12 view external {
13 // TAKEN FROM named.conf.default-zones
14 include "/etc/bind/named.conf.default-zones";
15
16 match-clients {
17 key DNS_REPLICATOR_EXTERNAL;
18 !key DNS_REPLICATOR_INTERNAL;
19 any;
20 };
21
22 //REVERSE ZONE DEFINITIONS (INTERNAL)
23 //-> NONE
24
25 //FORWARD ZONE DEFINITIONS
26 zone "rockstable.org" {
27 type slave;
28 masters { masters_rockstable_org_external; };
29 masterfile-format text; # (text|raw)
30 file "/var/lib/bind/zones/db.org.rockstable";
31 journal "/var/lib/bind/journal/db.org.rockstable.jnl"; # string ;
32
33 check-names warn; # (warn|fail|ignore) ;
34 notify yes; # yes_or_no | explicit | master-only ;
35 zone-statistics yes; # yes_or_no ;
36 };
37
38 zone "rockstable.it" {
39 type slave;
40 masters { masters_rockstable_it_external; };
41 masterfile-format text; # (text|raw)
42 file "/var/lib/bind/zones/db.it.rockstable";
43 journal "/var/lib/bind/journal/db.it.rockstable.jnl"; # string ;
44 check-names warn; # (warn|fail|ignore) ;
45 notify yes; # yes_or_no | explicit | master-only ;
46 zone-statistics yes; # yes_or_no ;
47 };
48 };
49
50 // vim: syntax=named:
51
Changing a dynamic zone with views
When you are using a dynamic zones with views there are some steps you need to walk through to update a zone.
1 ZONE="rockstable.org"
2 ### "IN" IS SIMPLY THE CLASS OF ZONE (CASE INSENSITIVE)
3 VIEW="external"
4
5 ### FREEZE A DYNAMIC ZONE
6 rndc freeze "$ZONE" IN "$VIEW"
7 ### EDIT THE ZONE AND INCREMENT THE SERIAL
8 vim /etc/bind/zones/db.org.rockstable
9 ### CHECK ZONE SYNTAX
10 named-checkzone "$ZONE" /etc/bind/zones/db.org.rockstable
11 ### RELOAD THE ZONE LOCALLY
12 rndc reload "$ZONE" IN "$VIEW"
13 ### UNFREEZE THE ZONE
14 rndc thaw "$ZONE" IN "$VIEW"
15 ### NOTIFY SLAVES EXPLICITLY
16 rndc notify "$ZONE" IN "$VIEW"
Debugging
Check config
1 named-checkconf
Check zone
1 # named-checkzone rockstable.org /etc/bind/zones/db.org.rockstable
2 zone rockstable.org/IN: _matrix._tcp.rockstable.org/SRV 'matrix.rockstable.org' is a CNAME (illegal)
3 zone rockstable.org/IN: _stun._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
4 zone rockstable.org/IN: _stuns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
5 zone rockstable.org/IN: _turn._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
6 zone rockstable.org/IN: _turns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
7 zone rockstable.org/IN: _stun._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
8 zone rockstable.org/IN: _turn._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
9 zone rockstable.org/IN: _stun._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
10 zone rockstable.org/IN: _stuns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
11 zone rockstable.org/IN: _turn._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
12 zone rockstable.org/IN: _turns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
13 zone rockstable.org/IN: _xmpp-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
14 zone rockstable.org/IN: _xmpp-server._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
15 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
16 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
17 zone rockstable.org/IN: _stun._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
18 zone rockstable.org/IN: _turn._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
19 zone rockstable.org/IN: _xmpp-server._tcp.conference.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
20 zone rockstable.org/IN: loaded serial 2020030301
21 OK
I should think about the advisory of named-checkzone one day. Seems like i'm doing illegal things with DNS. 
DNSsec
Server
Create key directory
Create keys
Options
1 //key-directory path_name;
2
3 //dnssec-accept-expired boolean;
4 //dnssec-dnskey-kskonly boolean;
5 //dnssec-enable boolean;
6 //dnssec-loadkeys-interval integer;
7 //dnssec-lookaside ( string trust-anchor string | auto | no );
8 //dnssec-must-be-secure string boolean;
9 //dnssec-secure-to-insecure boolean;
10 //dnssec-update-mode ( maintain | no-resign );
11 //dnssec-validation ( yes | no | auto );
12
update-check-ksk
- When set to the default value of yes, check the KSK bit in each key to determine how the key should be used when generating
RRSIGs for a secure zone.
Ordinarily, zone-signing keys (that is, keys without the KSK bit set) are used to sign the entire zone, while key-signing keys (keys with the KSK bit set) are only used to sign the DNSKEY RRset at the zone apex. However, if this option is set to no, then the KSK bit is ignored; KSKs are treated as if they were ZSKs and are used to sign the entire zone.This is similar to the dnssec-signzone -z command line option.
When this option is set to yes, there must be at least two active keys for every algorithm represented in the DNSKEY RRset: at least one KSK and one ZSK per algorithm. If there is any algorithm for which this requirement is not met, this option will be ignored for that algorithm.
dnssec-dnskey-kskonly
- When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset.
This is similar to the dnssec-signzone -x command line option.
The default is no. If update-check-ksk is set to no, this option is ignored.
key-directory
- When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as bind.keys, rndc.key or session.key.)
dnssec-accept-expired
- Accept expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to yes leaves named vulnerable to replay attacks.
dnssec-loadkeys-interval
- When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys’ timing metadata has been updated (see dnssec-keygen: DNSSEC key generation tool and dnssec-settime: set the key timing metadata for a DNSSEC key). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes.
The default is 60 (1 hour),
the minimum is 1 (1 minute),
and the maximum is 1440 (24 hours);
any higher value is silently reduced.
dnssec-lookaside
- When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does)
the DNSKEY RRset is deemed to be trusted.
If dnssec-lookaside is set to no, then dnssec-lookaside is not used.
Note- The ISC-provided DLV service at dlv.isc.org, has been shut down. The dnssec-lookaside auto; configuration option, which set named up to use ISC DLV with minimal configuration, has accordingly been removed.
dnssec-must-be-secure
- Specify hierarchies which must be or may not be secure (signed and validated). If yes, then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be defined as a trust anchor, for instance in a dnssec-keys statement, or dnssec-validation auto must be active.
dnssec-update-mode
- If this option is set to its default value of maintain in a zone of type master which is DNSSEC-signed and configured to allow dynamic updates (see Dynamic Update Policies), and if named has access to the private signing key(s) for the zone, then named will automatically sign all new or changed records and maintain signatures for the zone by regenerating RRSIG records
whenever they approach their expiration date.
If the option is changed to no-resign, then named will sign all new or changed records,but scheduled maintenance of signatures is disabled.
With either of these settings, named will reject updates to a DNSSEC-signed zone when the signing keys are inactive or unavailable to named. (A planned third option, external, will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented.)
/etc/bind/named.conf.options
1 key-directory "/var/lib/bind/keys";
Signing
inline-signing
- If yes, this enables “bump in the wire” signing of a zone, where a unsigned zone is transferred in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This behavior is disabled by default.
/etc/bind/named.conf.options
#WIP
Client
/etc/bind/named.conf.options
#WIP
Zone Files
Record Types
Start Of Authrority (SOA)
SOA Record - from Wikipedia, the free encyclopedia
A Start of Authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.
Background
Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.
It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone. A zone without a SOA record does not conform to the standard required by RFC 1035.
Structure
name
- name of the zone (mostly "@")
IN
- zone class (usually IN for internet)
SOA
- abbreviation for Start of Authority
MNAME
- Primary master name server for this zone UPDATE requests should be forwarded toward the primary master[2] NOTIFY requests propagate outward from the primary master[3]
RNAME
Email address of the administrator responsible for this zone. (As usual, the email address is encoded as a name. The part of the email address before the @ becomes the first label of the name; the domain name after the @ becomes the rest of the name. In zone-file format, dots in labels are escaped with backslashes; thus the email address john.doe@example.com would be represented in a zone file as john\.doe.example.com.)
SERIAL
- Serial number for this zone. If a secondary name server slaved to this one observes an increase in this number, the slave will assume that the zone has been updated and initiate a zone transfer.
REFRESH
- number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes. Recommendation for small and stable zones:[4] 86400 seconds (24 hours).
RETRY
- number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond. It must be less than Refresh. Recommendation for small and stable zones:[4] 7200 seconds (2 hours).
EXPIRE
- number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond. This value must be bigger than the sum of Refresh and Retry. Recommendation for small and stable zones:[4] 3600000 seconds (1000 hours).
TTL, a.k.a. MINIMUM
Time To Live for purposes of negative caching. Recommendation for small and stable zones:[4] 172800 seconds (2 days). Originally this field had the meaning of a minimum TTL value for resource records in this zone; it was changed to its current meaning by RFC 2308.[5]
Abstracted SOA layout
- Strongly annotated
- Names are taken from upper definitions.
moinmoin: Use !#highlight clojure
1 ;ORIGIN IS APPENDED TO ANY NAME-STRING THAT DOES NOT END ON "."
2 $ORIGIN . ;GET ORIGIN FROM BIND CONFIG (named.conf.local)
3 ;$ORIGIN domain.tld. ;SET ORIGIN
4 $TTL 86400 ;DEFAULT TTL FOR RESOURCE RECORDS
5 name zone_class SOA MNAME RNAME (
6 2018110201 ;Serial (ISO 8601 basic format followed by a two-digit counter)
7 86400 ;Refresh (SOA Query Interval in [s])
8 7200 ;Retry (Query Retry Interval after failed query in [s], Retry < Refresh < Expire)
9 604800 ;Expire (delay in [s] from contact loss to stop of response)
10 86400 ;Minimum TTL ([s] actually lifetime for negative caching, SEE: [[https://tools.ietf.org/html/rfc2308|RFC 2308]])
11 )
12 ; SOA ALREADY ENDED BUT NS RECORDS ARE OF INTEREST DURING ZONE TRANSFER TO!
13 IN NS MNAME
14 IN NS NS1
15 IN NS NS2.other-domain.tld.
Typical impression of a SOA record in BIND syntax
Cleaned up
Serial number changes
Several methods have been established for updates to the SERIAL field of a zone's SOA record:
- The serial number begins at 1, and is simply incremented at every change.
- The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter (e.g. 2017031405 = the fifth change dated March 14, 2017). This method is recommended in RFC 1912.
- The serial number is the time of last modification to the zone's data file expressed as the number of seconds since the UNIX epoch. This method is used by default in the djbdns suite. Although it uses a 32-bit counter, it is not susceptible to the year 2038 problem due to the effect of serial number arithmetic.
HINT: IN VIM TRY CTRL+A or CTRL+Y
Trouble shooting
journal out of sync
A dynamic zone and its journal can get out of sync like in the following example
You can sync the zone and purge the journal
Corresponding log
1 06-Apr-2020 14:40:21.896 general: info: received control channel command 'sync -clean 0.16.172.in-addr.arpa'
2 06-Apr-2020 14:40:21.896 general: info: sync: dumping zone '0.16.172.in-addr.arpa/IN' internal, removing journal file: success
3 06-Apr-2020 14:40:31.721 general: info: zone 0.16.172.in-addr.arpa/IN/internal: loaded serial 2020032200
4 06-Apr-2020 14:40:31.721 general: info: received control channel command 'reload'
name not in use
Dynamic DNS update fails with
1 06-Apr-2020 15:16:51.501 update: info: client @0x7f10c4104640 127.0.0.1#51809/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it: 'name not in use' prerequisite not satisfied (YXDOMAIN)
2 06-Apr-2020 15:16:51.502 update: info: client @0x7f10c40e7720 127.0.0.1#41651/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Delete record and increment serial
fail2ban
Extent bind9 logging
Provide a datasource that fail2ban may parse.
/etc/bind/named.conf.logging
1 logging {
2 channel security_info {
3 file "/var/log/bind/security.info" versions 10 size 10m;
4 severity info;
5 print-category yes;
6 print-severity yes;
7 print-time yes;
8 //stderr;
9 };
10
11 // BIND9 LOGGING CATEGORIES
12 //client cname config database default delegation-only dispatch dnssec dnstap
13 //edns-disabled general lame-servers network notify queries query-errors
14 //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
15 //update-security xfer-in xfer-out
16
17 category rate-limit { security_info; };
18 category security { security_info; };
19 };
20
21 // vim: set syntax=named:
Ban rogues
If you have a open DNS server, that recurses for everybody, rate-limiting the responses may not be enough.
I adjusted the filter-configuration of fail2ban to match DDOS-UDP patterns.
Change _daemon to include rate-limiting.
Introduce regex __log_level to make it configurable.
Modularize __line_prefix to be not monolithic but keep optionality.
Don't start prefregex with a ^ caret or date won't be matched.
Add regex failregex to match rate-limits.
- The failregex been proven to be working.
/etc/fail2ban/filter.d/named-refused.conf
1 # Fail2Ban filter file for named (bind9).
2 #
3
4 # This filter blocks attacks against named (bind9) however it requires special
5 # configuration on bind.
6 #
7 # By default, logging is off with bind9 installation.
8 #
9 # You will need something like this in your named.conf to provide proper logging.
10 #
11 # logging {
12 # channel security_file {
13 # file "/var/log/named/security.log" versions 3 size 30m;
14 # severity dynamic;
15 # print-time yes;
16 # };
17 # category security {
18 # security_file;
19 # };
20 # };
21
22 [Definition]
23
24 # Daemon name
25 #_daemon=named
26 _daemon=(named|rate-limit)
27
28 # Shortcuts for easier comprehension of the failregex
29
30 __pid_re=(?:\[\d+\])
31 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
32 #__daemon_re=\(?(named|rate-limit)(?:\(\S+\))?\)?:?
33 __log_level=((error|info):)
34
35 ### PID:DAEMON OR DAEMON:PID
36 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
37 #__daemon_combs_re=(?:(?:\[\d+\])?:\s+\(?(named|rate-limit)(?:\(\S+\))?\)?:?|\(?(named|rate-limit)(?:\(\S+\))?\)?:?(?:\[\d+\])?:)
38
39 # hostname daemon_id spaces
40 # this can be optional (for instance if we match named native log files)
41 #__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
42 __line_prefix=(?:\s\S+\s+)?(%(__daemon_combs_re)s)?\s*
43
44 #prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
45 prefregex = %(__line_prefix)s%(__log_level)s?\s*client @\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
46
47 failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
48 ^zone transfer '\S+/AXFR/\w+' denied\s*$
49 ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
50 ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \S+ IN ANY\s+\(\S+\)$
51
52 ignoreregex =
53
54 # DEV Notes:
55 # Trying to generalize the
56 # structure which is general to capture general patterns in log
57 # lines to cover different configurations/distributions
58 #
59 # Author: Yaroslav Halchenko
Test your filter with fail2ban-regex
Looks good, so far. Effectivly this rule only drops the queries from rate-limited requestors. This may be a DDOS-victim. The victim will also not be able to query this DNS-Server.
You may check your regex with the great webtool https://regex101.com/.
Make sure you servers are configured correctly!!1!
Once your confident enable the configuration. /etc/fail2ban/jail.d/named-refused.conf
1 ### SEE ../filter.d/named-refused.conf
2 ### ADDED REGEX TO failregex TO PROTECT DDOS ATTACKS
3 ### ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \S+ IN ANY\s+\(\S+\)$
4
5 [named-refused-udp]
6
7 enabled = true
8 filter = named-refused
9 port = domain,953
10 protocol = udp
11 logpath = /var/log/bind/security.info
12
13 [named-refused]
14
15 enabled = true
16 port = domain,953
17 logpath = /var/log/bind/security.info
Check jail status
Well, it saves bandwidth! I guess, it attenuates a DDOS but is not free of side effects!
Unban
Very specific to one jail
or an IP globally
or unban all
1 fail2ban-client unban --all
dnsutils
Must have!
1 aptitude install dnsutils
Test zone transfer
1 dig -t AXFR rockstable.it @ns3.rockstable.org
DNS
Top-Level Domains (TLDs)
Groups of TLDs:
generic TLD (gTLD): with three or more characters -> Managed by Internet Corporation for Assigned Names and Numbers (ICANN)
restricted generic TLD (grTLD) -> managed under official ICANN accredited registrars
sponsored TLD (sTLD): are proposed and sponsored by private agencies or organizations that establish and enforce rules restricting the eligibility to use the TLD. Use is based on community theme concepts; -> managed under official ICANN accredited registrars.
unsponsored TLD (uTLD)
country-code TLD (ccTLD) - Two-letter domains established for countries or territories. With some historical exceptions (e.g. .uk (additionally to .gb), .eu for Europe), the code for any territory is the same as its two-letter ISO 3166 code. Creation and delegation of ccTLDs is described in RFC 1591, corresponding to ISO 3166-1 alpha-2 country codes. -> Managed by local (IANA) trusted registries
internationalized ccTLD (IDN ccTLD) - ccTLDs in non-Latin character sets (e.g., Arabic, Cyrillic, Hebrew, or Chinese) since November 2009; Punycode-translated ASCII domain names.
- test TLD (tTLD): These domains were installed under .test for testing purposes in the IDN development process; these domains are not present in the root zone.
infrastructure TLD (iTLD) -> managed by IANA
- .root (never actively used)
.arpa (Address and Routing Parameter Area)
- .root (never actively used)
- .bitnet (decrecated)
- .uucp (decrecated)
Lists
Official, authoritative list of all Top-Level domains published by Internet Assigned Numbers Authority (IANA) Root Zone Database
Reserved domains
RFC 6761 reserves the following four top-level domain names to avoid confusion and conflict.[18] Any such reserved usage of those TLDs should not occur in production networks that utilize the global domain name system:
- example: reserved for use in examples
- invalid: reserved for use in obviously invalid domain names
- localhost: reserved to avoid conflict with the traditional use of localhost as a hostname
- test: reserved for use in tests
RFC 6762 reserves the use of .local for link-local host names that can be resolved via the Multicast DNS name resolution protocol.
RFC 7686 reserves the use of .onion for the self-authenticating names of Tor hidden services. These names can only be resolved by a Tor client because of the use of onion routing to protect the anonymity of users.