bind9
Contents
Docs
ftp://ftp.isc.org/isc/bind9/cur/
Install
1 aptitude install autodns-dhcp
Configure
Create directories for journals and zones
Main configuration file
I decided to move acls, auth and logging configuration to their own files and include them in the main configuration file. They may be reused on other servers as well.
/etc/bind/named.conf
1 //
2 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
3 // structure of BIND configuration files in Debian, *BEFORE* you customize
4 // this configuration file.
5 //
6 // If you are just adding zones, please do that in /etc/bind/named.conf.local
7
8 include "/etc/bind/named.conf.logging";
9 include "/etc/bind/named.conf.options";
10 include "/etc/bind/named.conf.acls";
11 include "/etc/bind/named.conf.auth";
12 include "/etc/bind/named.conf.local";
13 //DEFAULT ZONES CANNOT BE INCLUDED HERE SINCE WE ARE USING VIEWS
14 // SEE: named.conf.local
15 //include "/etc/bind/named.conf.default-zones";
16
Logging
Default logging got extended by some info for debugging dynamic updates.
To use the path /var/log/bind you must extend the apparmor profile, otherwise leave it to /var/log/named.
/etc/bind/named.conf.logging
1 logging {
2 channel null {
3 null;
4 };
5 channel update_debug {
6 file "/var/log/bind/update-debug.log" versions 10 size 10m;
7 severity debug 3;
8 print-category yes;
9 print-severity yes;
10 print-time yes;
11 };
12 channel security_info {
13 file "/var/log/bind/security.info" versions 10 size 10m;
14 severity info;
15 print-category yes;
16 print-severity yes;
17 print-time yes;
18 //stderr;
19 };
20 channel general_info {
21 file "/var/log/bind/general.info" versions 10 size 10m;
22 severity info;
23 print-category yes;
24 print-severity yes;
25 print-time yes;
26 //stderr;
27 };
28 channel general_warn {
29 severity warning;
30 syslog local7;
31 print-category yes;
32 print-severity yes;
33 print-time yes;
34 //stderr;
35 };
36
37 // BIND9 LOGGING CATEGORIES
38 //client cname config database default delegation-only dispatch dnssec dnstap
39 //edns-disabled general lame-servers network notify queries query-errors
40 //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
41 //update-security xfer-in xfer-out
42
43 category general { general_warn; };
44 category general { general_info; };
45 category rate-limit { security_info; };
46 category security { security_info; };
47 category update { update_debug; };
48 category update-security { security_info;
49 update_debug; };
50 category notify { update_debug; };
51 };
52
53 // vim: set syntax=named:
54
Adjust apparmor profile
In retrospective it may be easier to simply set a symlink than extending the apparmor config.
1 ln -s /var/log/named /var/log/bind
Extend apparmor profile /etc/apparmor.d/local/usr.sbin.named
This path must match the named apparmor-profile /etc/apparmor.d/{,local/}usr.sbin.named or bind will not start with the following error:
Jun 18 15:04:18 kvm2 named[6707]: isc_stdio_open '/var/log/bind/update-debug.log' failed: permission denied Jun 18 15:04:18 kvm2 named[6707]: configuring logging: permission denied Jun 18 15:04:18 kvm2 named[6707]: loading configuration: permission denied Jun 18 15:04:18 kvm2 named[6707]: exiting (due to fatal error)
1 install -o bind -g adm -m 750 -d /var/log/bind
ACLs
Define ACLs for your networks and ip-interfaces. This will simplify your configuration and make it more readable.
/etc/bind/named.conf.acls
Zone Files
Record Types
Start Of Authrority (SOA)
SÓA Record - from Wikipedia, the free encyclopedia
A Start of Authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.
Background
Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.
It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone. A zone without a SOA record does not conform to the standard required by RFC 1035.
Structure
name
- name of the zone (mostly "@")
IN
- zone class (usually IN for internet)
SOA
- abbreviation for Start of Authority
MNAME
- Primary master name server for this zone UPDATE requests should be forwarded toward the primary master[2] NOTIFY requests propagate outward from the primary master[3]
RNAME
Email address of the administrator responsible for this zone. (As usual, the email address is encoded as a name. The part of the email address before the @ becomes the first label of the name; the domain name after the @ becomes the rest of the name. In zone-file format, dots in labels are escaped with backslashes; thus the email address john.doe@example.com would be represented in a zone file as john\.doe.example.com.)
SERIAL
- Serial number for this zone. If a secondary name server slaved to this one observes an increase in this number, the slave will assume that the zone has been updated and initiate a zone transfer.
REFRESH
- number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes. Recommendation for small and stable zones:[4] 86400 seconds (24 hours).
RETRY
- number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond. It must be less than Refresh. Recommendation for small and stable zones:[4] 7200 seconds (2 hours).
EXPIRE
- number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond. This value must be bigger than the sum of Refresh and Retry. Recommendation for small and stable zones:[4] 3600000 seconds (1000 hours).
TTL, a.k.a. MINIMUM
Time To Live for purposes of negative caching. Recommendation for small and stable zones:[4] 172800 seconds (2 days). Originally this field had the meaning of a minimum TTL value for resource records in this zone; it was changed to its current meaning by RFC 2308.[5]
Abstracted SOA layout
- Strongly annotated
- Names are taken from upper definitions.
moinmoin: Use !#highlight clojure
1 ;ORIGIN IS APPENDED TO ANY NAME-STRING THAT DOES NOT END ON "."
2 $ORIGIN . ;GET ORIGIN FROM BIND CONFIG (named.conf.local)
3 ;$ORIGIN domain.tld. ;SET ORIGIN
4 $TTL 86400 ;DEFAULT TTL FOR RESOURCE RECORDS
5 name zone_class SOA MNAME RNAME (
6 2018110201 ;Serial (ISO 8601 basic format followed by a two-digit counter)
7 86400 ;Refresh (SOA Query Interval in [s])
8 7200 ;Retry (Query Retry Interval after failed query in [s], Retry < Refresh < Expire)
9 604800 ;Expire (delay in [s] from contact loss to stop of response)
10 86400 ;Minimum TTL ([s] actually lifetime for negative caching, SEE: [[https://tools.ietf.org/html/rfc2308|RFC 2308]])
11 )
12 ; SOA ALREADY ENDED BUT NS RECORDS ARE OF INTEREST DURING ZONE TRANSFER TO!
13 IN NS MNAME
14 IN NS NS1
15 IN NS NS2.other-domain.tld.
Typical impression of a SOA record in BIND syntax
Cleaned up
Serial number changes
Several methods have been established for updates to the SERIAL field of a zone's SOA record:
- The serial number begins at 1, and is simply incremented at every change.
- The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter (e.g. 2017031405 = the fifth change dated March 14, 2017). This method is recommended in RFC 1912.[6]
- The serial number is the time of last modification to the zone's data file expressed as the number of seconds since the UNIX epoch. This method is used by default in the djbdns suite.[7] Although it uses a 32-bit counter, it is not susceptible to the year 2038 problem due to the effect of serial number arithmetic.
fail2ban
Configure bind logging (this is only the relevant part for fail2ban) /etc/bind/named.conf.logging
1 logging {
2 channel security_info {
3 file "/var/log/bind/security.info" versions 10 size 10m;
4 severity info;
5 print-category yes;
6 print-severity yes;
7 print-time yes;
8 //stderr;
9 };
10
11 // BIND9 LOGGING CATEGORIES
12 //client cname config database default delegation-only dispatch dnssec dnstap
13 //edns-disabled general lame-servers network notify queries query-errors
14 //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
15 //update-security xfer-in xfer-out
16
17 category rate-limit { security_info; };
18 category security { security_info; };
19 };
20
21 // vim: set syntax=named:
If you have a open DNS server that recurses for every boy you rate-limiting the responses may not be enough. I adjusted the filter-configuration of fail2ban to match DDOS-UDP pattern. The regex has not yet been proved to work, i will update it once i see rate-limits slipping through. /etc/fail2ban/filter.d/named-refused.conf
1 # Fail2Ban filter file for named (bind9).
2 #
3
4 # This filter blocks attacks against named (bind9) however it requires special
5 # configuration on bind.
6 #
7 # By default, logging is off with bind9 installation.
8 #
9 # You will need something like this in your named.conf to provide proper logging.
10 #
11 # logging {
12 # channel security_file {
13 # file "/var/log/named/security.log" versions 3 size 30m;
14 # severity dynamic;
15 # print-time yes;
16 # };
17 # category security {
18 # security_file;
19 # };
20 # };
21
22 [Definition]
23
24 # Daemon name
25 _daemon=named
26
27 # Shortcuts for easier comprehension of the failregex
28
29 __pid_re=(?:\[\d+\])
30 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
31 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
32
33 # hostname daemon_id spaces
34 # this can be optional (for instance if we match named native log files)
35 __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
36
37 prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
38
39 failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
40 ^zone transfer '\S+/AXFR/\w+' denied\s*$
41 ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
42 ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \. IN ANY$
43
44 ignoreregex =
45
46 # DEV Notes:
47 # Trying to generalize the
48 # structure which is general to capture general patterns in log
49 # lines to cover different configurations/distributions
50 #
51 # Author: Yaroslav Halchenko
And enable the configuration /etc/fail2ban/jail.d/named-refused.conf
1 ### SEE ../filter.d/named-refused.conf
2 ### ADDED REGEX TO failregex TO SUPPRESS DDOS ATTACKS
3 ### ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \. IN ANY$
4
5 [named-refused-udp]
6
7 enabled = true
8 filter = named-refused
9 port = domain,953
10 protocol = udp
11 logpath = /var/log/bind/security.info
12
13 [named-refused]
14
15 enabled = true
16 port = domain,953
17 logpath = /var/log/bind/security.info
DNS
Top-Level Domains (TLDs)
Groups of TLDs:
generic TLD (gTLD): with three or more characters -> Managed by Internet Corporation for Assigned Names and Numbers (ICANN)
restricted generic TLD (grTLD) -> managed under official ICANN accredited registrars
sponsored TLD (sTLD): are proposed and sponsored by private agencies or organizations that establish and enforce rules restricting the eligibility to use the TLD. Use is based on community theme concepts; -> managed under official ICANN accredited registrars.
unsponsored TLD (uTLD)
country-code TLD (ccTLD) - Two-letter domains established for countries or territories. With some historical exceptions (e.g. .uk (additionally to .gb), .eu for Europe), the code for any territory is the same as its two-letter ISO 3166 code. Creation and delegation of ccTLDs is described in RFC 1591, corresponding to ISO 3166-1 alpha-2 country codes. -> Managed by local (IANA) trusted registries
internationalized ccTLD (IDN ccTLD) - ccTLDs in non-Latin character sets (e.g., Arabic, Cyrillic, Hebrew, or Chinese) since November 2009; Punycode-translated ASCII domain names.
- test TLD (tTLD): These domains were installed under .test for testing purposes in the IDN development process; these domains are not present in the root zone.
infrastructure TLD (iTLD) -> managed by IANA
- .root (never actively used)
.arpa (Address and Routing Parameter Area)
- .root (never actively used)
- .bitnet (decrecated)
- .uucp (decrecated)
Lists
Official, authoritative list of all Top-Level domains published by Internet Assigned Numbers Authority (IANA) Root Zone Database
Reserved domains
RFC 6761 reserves the following four top-level domain names to avoid confusion and conflict.[18] Any such reserved usage of those TLDs should not occur in production networks that utilize the global domain name system:
- example: reserved for use in examples
- invalid: reserved for use in obviously invalid domain names
- localhost: reserved to avoid conflict with the traditional use of localhost as a hostname
- test: reserved for use in tests
RFC 6762 reserves the use of .local for link-local host names that can be resolved via the Multicast DNS name resolution protocol.
RFC 7686 reserves the use of .onion for the self-authenticating names of Tor hidden services. These names can only be resolved by a Tor client because of the use of onion routing to protect the anonymity of users.