BIND: HOWTO Close an Open DNS

BIND 9.9.7
BIND 9.9.5

Book: ZyTrax Pro DNS and BIND

Time-to-Live (TTL) Values
Start of Authority Resource Record (SOA)
BIND Time formats
IPv6 Address Record (AAAA)
HOWTO Close an Open DNS
DNS BIND Query Statements
DNS Configuration Types
DNS Sample BIND Configurations
$ORIGIN, @ and blank Substitution
DNS BIND9 logging Clause

    #s = seconds = # x 1 seconds (really!)
    #m = minutes = # x 60 seconds
    #h = hours = # x 3600 seconds
    #d = day = # x 86400 seconds
    #w = week = # x 604800 seconds

Problems

nslookup not found in FreeBSD 10

# pkg install bind-tools

May you please add alias for nslookup?
FreeBSD 10 sysinstall, nslookup

named: the working directory is not writable

# chown -R bind:bind /var/named/etc/namedb

named: the working directory is not writable

open: /usr/local/etc/rndc.key: file not found

# rndc-confgen -a

Bind does not provide /etc/rndc.key

Stopping named: rndc failed, trying killall: .

Die Verwendung von rndc
Using rndc
Stopping named: rndc failed, trying killall: .

rndc: ‘stats’ failed: permission denied

options {
    dump-file       "/var/named/dump/named_dump.db";
    statistics-file "/var/named/stats/named.stats";
};

rndc works, but rndc stats doesnt
rndc dumpdb could not open dump file

Howto

DNS-Request

- autoritativ (der Server holt die Daten aus einer lokalen Zonendatei)
- nicht-autoritativ
  o rekursiv (der Server holt die Daten von einem anderen Nameserver)
  o iterativ (der Server antwortet mit einem oder mehreren Verweisen
              oder einem Resource Record auf andere Nameserver)

Rekursive und iterative Namensauflösung

recursion
If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server’s cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server’s internal operation, such as NOTIFY address lookups. See also fetch-glue above.

fetch-glue
This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn’t have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it.

BIND 9 Configuration Reference

Configuring an Authoritative-Only Name Server

Problem
You want to configure an “authoritative-only” or nonrecursive name server.
Cooking with DNS & BIND

Wireshark

(dns) && (dns.qry.type == 1)   => Record type A

$ tcpdump -s 1500 -p 53 -w output.pcap
-s <number>   number in bytes per packet
-w <file>     output file
-p <number>   port number (ex. 53 = DNS)

List of DNS record types

Fail2Ban

Fail2Ban
DNS Root Query Amplification with Fail2Ban
Fail2Ban with FreeBSD
Integrating PF with Fail2ban 0.9

Tutorials

A Nonrecursive Name Server, O’Reilly DNS and BIND
How to Disable External DNS recursion?
Configuring Bind Non Recursive
Wikipedia: Rekursive und iterative Namensauflösung
What is a “recursive DNS query”?

# /usr/sbin/named -t /var/named -u bind -fg
-t chroot() to directory after processing the command line arguments
-u setuid() to user after completing privileged operations
-f Run the server in the foreground
-g Run the server in the foreground and force all logging to stderr

recursion  no;

# /usr/sbin/named -t /var/named -u bind -fg
05-Aug-2013 19:58:10.872 starting
05-Aug-2013 19:58:10.876 listening on IPv4 interface em0, 1.2.3.4#53
05-Aug-2013 19:58:10.877 listening on IPv4 interface lo0, 127.0.0.1#53
05-Aug-2013 19:58:10.880 running
05-Aug-2013 19:59:11.360 unexpected RCODE (REFUSED) resolving 'www.XXX.ch/A/IN': 1.2.3.4#53
05-Aug-2013 19:59:13.359 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 1.118.193.3#53
05-Aug-2013 19:59:13.359 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 2.134.128.59#53
05-Aug-2013 19:59:13.360 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 2.134.128.59#53
05-Aug-2013 19:59:13.361 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 1.118.193.3#53

05-Aug-2013 20:00:22.718 shutting down
05-Aug-2013 20:00:22.719 no longer listening on 1.2.3.4#53
05-Aug-2013 20:00:22.719 no longer listening on 127.0.0.1#53
05-Aug-2013 20:00:22.720 exiting

# /usr/local/sbin/named -t /var/named -u bind -fg -c /etc/namedb/named.conf
29-Sep-2015 20:16:29.117 starting BIND x.x.x. -t /var/named -u bind -fg -c /etc/namedb/named.conf
29-Sep-2015 20:16:29.117 found 2 CPUs, using 2 worker threads
29-Sep-2015 20:16:29.117 using 2 UDP listeners per interface
29-Sep-2015 20:16:29.120 using up to 4096 sockets
29-Sep-2015 20:16:29.137 ENGINE_by_id failed (crypto failure)
29-Sep-2015 20:16:29.138 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
29-Sep-2015 20:16:29.138 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
29-Sep-2015 20:16:29.138 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
29-Sep-2015 20:16:29.140 initializing DST: crypto failure
29-Sep-2015 20:16:29.140 exiting (due to fatal error)

# /usr/local/sbin/named -u bind -fg -c /etc/namedb/named.conf
29-Sep-2015 20:16:51.826 starting BIND x.x.x -u bind -fg -c /etc/namedb/named.conf
29-Sep-2015 20:16:51.826 found 2 CPUs, using 2 worker threads
29-Sep-2015 20:16:51.826 using 2 UDP listeners per interface
29-Sep-2015 20:16:51.829 using up to 4096 sockets
29-Sep-2015 20:16:51.853 loading configuration from '/etc/namedb/named.conf'
29-Sep-2015 20:16:51.855 using default UDP/IPv4 port range: [49152, 65535]
29-Sep-2015 20:16:51.855 using default UDP/IPv6 port range: [49152, 65535]
29-Sep-2015 20:16:51.856 listening on IPv4 interface em0, 195.134.157.20#53
29-Sep-2015 20:16:51.858 listening on IPv4 interface lo0, 127.0.0.1#53
[...]
29-Sep-2015 20:16:51.891 command channel listening on 127.0.0.1#953
29-Sep-2015 20:16:51.891 not using config file logging statement for logging due to -g option
29-Sep-2015 20:16:51.892 managed-keys-zone: loaded serial 0
29-Sep-2015 20:16:51.893 redirect-zone: loaded serial 2014060401
29-Sep-2015 20:16:51.907 zone 157.x.x.in-addr.arpa/IN: loaded serial 2007020101
29-Sep-2015 20:16:51.912 zone xxx.ch/IN: loaded serial 2007020101
29-Sep-2015 20:16:51.929 zone yyy.ch/IN: loaded serial 2007020101
29-Sep-2015 20:16:51.930 all zones loaded
29-Sep-2015 20:16:51.933 running

What is the meaning of these BIND log messages?

“unexpected RCODE (SERVFAIL)…”
“lame server resolving…”

allow-recursion { 127.0.0.1; };

05-Aug-2013 20:05:39.820 starting
05-Aug-2013 20:05:39.824 loading configuration from '/etc/namedb/named.conf'
05-Aug-2013 20:05:39.825 listening on IPv4 interface em0, 1.2.3.4#53
05-Aug-2013 20:05:39.825 listening on IPv4 interface lo0, 127.0.0.1#53
05-Aug-2013 20:05:39.830 zone 0.0.127.in-addr.arpa/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.832 zone AAA.ch/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.833 zone BBB.ch/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.833 zone CCC.ch/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.834 zone DDD.ch/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.835 zone localhost/IN: loaded serial 2007020101
05-Aug-2013 20:05:39.837 running
05-Aug-2013 20:05:39.837 zone localhost/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 zone AAA.ch/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 zone BBB.net/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 zone CCC.net/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 zone DDD.net/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 zone 0.0.127.in-addr.arpa/IN: sending notifies (serial 2007020101)
05-Aug-2013 20:05:39.838 client 1.2.3.4#56328: received notify for zone 'localhost'
05-Aug-2013 20:05:40.339 client 1.2.3.4#56328: received notify for zone 'AAA.ch'
05-Aug-2013 20:05:40.339 client 1.2.3.4#56328: received notify for zone 'BBB.net'
05-Aug-2013 20:05:40.340 client 1.2.3.4#56328: received notify for zone 'CCC.net'
05-Aug-2013 20:05:40.340 client 1.2.3.4#56328: received notify for zone 'DDD.net'
05-Aug-2013 20:05:40.840 client 1.2.3.4#56328: received notify for zone '0.0.127.in-addr.arpa'

05-Aug-2013 20:09:10.348 shutting down
05-Aug-2013 20:09:10.348 no longer listening on 1.2.3.4#53
05-Aug-2013 20:09:10.348 no longer listening on 127.0.0.1#53
05-Aug-2013 20:09:10.350 exiting

How to setup Local Authoritative DNS
BIND 10: Authoritative DNS Server

Andreas' Blog

Just another WordPress site

BIND: HOWTO Close an Open DNS

Book: ZyTrax Pro DNS and BIND

Problems

nslookup not found in FreeBSD 10

named: the working directory is not writable

open: /usr/local/etc/rndc.key: file not found

Stopping named: rndc failed, trying killall: .

rndc: ‘stats’ failed: permission denied

Howto

Configuring an Authoritative-Only Name Server

Wireshark

Fail2Ban

Tutorials

Leave a Reply Cancel reply