{"id":679,"date":"2013-08-05T12:14:42","date_gmt":"2013-08-05T12:14:42","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=679"},"modified":"2015-09-29T18:25:52","modified_gmt":"2015-09-29T18:25:52","slug":"bind-howto-close-an-open-dns","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=679","title":{"rendered":"BIND: HOWTO Close an Open DNS"},"content":{"rendered":"

BIND 9.9.7
\nBIND 9.9.5<\/p>\n

Book: ZyTrax Pro DNS and BIND<\/h3>\n

Time-to-Live (TTL) Values<\/a>
\nStart of Authority Resource Record (SOA)<\/a>
\nBIND Time formats<\/a>
\nIPv6 Address Record (AAAA)<\/a>
\nHOWTO Close an Open DNS<\/a>
\nDNS BIND Query Statements<\/a>
\nDNS Configuration Types<\/a>
\nDNS Sample BIND Configurations<\/a><\/strong>
\n$ORIGIN, @ and blank Substitution<\/a>
\nDNS BIND9 logging Clause<\/a><\/p>\n

\r\n    #s = seconds = # x 1 seconds (really!)\r\n    #m = minutes = # x 60 seconds\r\n    #h = hours = # x 3600 seconds\r\n    #d = day = # x 86400 seconds\r\n    #w = week = # x 604800 seconds\r\n<\/pre>\n
Problems<\/h3>\n
nslookup not found in FreeBSD 10<\/h4>\n
\r\n# pkg install bind-tools\r\n<\/pre>\n
May you please add alias for nslookup?<\/a>
\nFreeBSD 10 sysinstall, nslookup<\/a><\/p>\n
named: the working directory is not writable<\/h4>\n
\r\n# chown -R bind:bind \/var\/named\/etc\/namedb\r\n<\/pre>\n
named: the working directory is not writable<\/a><\/p>\n
open: \/usr\/local\/etc\/rndc.key: file not found<\/h4>\n
\r\n# rndc-confgen -a\r\n<\/pre>\n
Bind does not provide \/etc\/rndc.key<\/a><\/p>\n
Stopping named: rndc failed, trying killall: .<\/h4>\n
\r\n\r\n<\/pre>\n
Die Verwendung von rndc<\/a>
\nUsing rndc<\/a>
\nStopping named: rndc failed, trying killall: .<\/a><\/p>\n
rndc: ‘stats’ failed: permission denied<\/h4>\n
\r\noptions {\r\n    dump-file       "\/var\/named\/dump\/named_dump.db";\r\n    statistics-file "\/var\/named\/stats\/named.stats";\r\n};\r\n<\/pre>\n
rndc works, but rndc stats doesnt<\/a>
\nrndc dumpdb could not open dump file<\/a><\/p>\n
Howto<\/h3>\n
DNS-Request<\/strong><\/p>\n
\r\n- autoritativ (der Server holt die Daten aus einer lokalen Zonendatei)\r\n- nicht-autoritativ\r\n  o rekursiv (der Server holt die Daten von einem anderen Nameserver)\r\n  o iterativ (der Server antwortet mit einem oder mehreren Verweisen\r\n              oder einem Resource Record auf andere Nameserver)\r\n<\/pre>\n
Rekursive und iterative Namensaufl\u00f6sung<\/a><\/p>\n
recursion<\/strong>
\nIf yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server’s cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server’s internal operation, such as NOTIFY address lookups. See also fetch-glue above. <\/p>\n
fetch-glue<\/strong>
\nThis option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn’t have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it.<\/p>\n
BIND 9 Configuration Reference<\/a><\/p>\n
Configuring an Authoritative-Only Name Server<\/h4>\n
Problem<\/strong>
\nYou want to configure an “authoritative-only” or nonrecursive name server.
\nCooking with DNS & BIND<\/a><\/p>\n
Wireshark<\/h3>\n
\r\n(dns) && (dns.qry.type == 1)   => Record type A\r\n<\/pre>\n
\r\n$ tcpdump -s 1500 -p 53 -w output.pcap\r\n-s <number>   number in bytes per packet\r\n-w <file>     output file\r\n-p <number>   port number (ex. 53 = DNS)\r\n<\/pre>\n
List of DNS record types<\/a><\/p>\n
Fail2Ban<\/h3>\n
Fail2Ban<\/a>
\nDNS Root Query Amplification with Fail2Ban<\/a>
\nFail2Ban with FreeBSD<\/a>
\nIntegrating PF with Fail2ban 0.9<\/a><\/p>\n
Tutorials<\/h3>\n
A Nonrecursive Name Server<\/a>, O’Reilly DNS and BIND
\nHow to Disable External DNS recursion?<\/a>
\nConfiguring Bind Non Recursive<\/a>
\nWikipedia: Rekursive und iterative Namensaufl\u00f6sung<\/a>
\nWhat is a \u201crecursive DNS query\u201d?<\/a><\/p>\n
\r\n# \/usr\/sbin\/named -t \/var\/named -u bind -fg\r\n-t chroot() to directory after processing the command line arguments\r\n-u setuid() to user after completing privileged operations\r\n-f Run the server in the foreground\r\n-g Run the server in the foreground and force all logging to stderr\r\n<\/pre>\n
\r\nrecursion  no;\r\n\r\n# \/usr\/sbin\/named -t \/var\/named -u bind -fg\r\n05-Aug-2013 19:58:10.872 starting\r\n05-Aug-2013 19:58:10.876 listening on IPv4 interface em0, 1.2.3.4#53\r\n05-Aug-2013 19:58:10.877 listening on IPv4 interface lo0, 127.0.0.1#53\r\n05-Aug-2013 19:58:10.880 running\r\n05-Aug-2013 19:59:11.360 unexpected RCODE (REFUSED) resolving 'www.XXX.ch\/A\/IN': 1.2.3.4#53\r\n05-Aug-2013 19:59:13.359 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 1.118.193.3#53\r\n05-Aug-2013 19:59:13.359 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 2.134.128.59#53\r\n05-Aug-2013 19:59:13.360 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 2.134.128.59#53\r\n05-Aug-2013 19:59:13.361 lame server resolving 'blog.XXX.net' (in 'XXX.net'?): 1.118.193.3#53\r\n\r\n05-Aug-2013 20:00:22.718 shutting down\r\n05-Aug-2013 20:00:22.719 no longer listening on 1.2.3.4#53\r\n05-Aug-2013 20:00:22.719 no longer listening on 127.0.0.1#53\r\n05-Aug-2013 20:00:22.720 exiting\r\n<\/pre>\n
\r\n# \/usr\/local\/sbin\/named -t \/var\/named -u bind -fg -c \/etc\/namedb\/named.conf\r\n29-Sep-2015 20:16:29.117 starting BIND x.x.x. -t \/var\/named -u bind -fg -c \/etc\/namedb\/named.conf\r\n29-Sep-2015 20:16:29.117 found 2 CPUs, using 2 worker threads\r\n29-Sep-2015 20:16:29.117 using 2 UDP listeners per interface\r\n29-Sep-2015 20:16:29.120 using up to 4096 sockets\r\n29-Sep-2015 20:16:29.137 ENGINE_by_id failed (crypto failure)\r\n29-Sep-2015 20:16:29.138 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:\r\n29-Sep-2015 20:16:29.138 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:\r\n29-Sep-2015 20:16:29.138 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost\r\n29-Sep-2015 20:16:29.140 initializing DST: crypto failure\r\n29-Sep-2015 20:16:29.140 exiting (due to fatal error)\r\n\r\n# \/usr\/local\/sbin\/named -u bind -fg -c \/etc\/namedb\/named.conf\r\n29-Sep-2015 20:16:51.826 starting BIND x.x.x -u bind -fg -c \/etc\/namedb\/named.conf\r\n29-Sep-2015 20:16:51.826 found 2 CPUs, using 2 worker threads\r\n29-Sep-2015 20:16:51.826 using 2 UDP listeners per interface\r\n29-Sep-2015 20:16:51.829 using up to 4096 sockets\r\n29-Sep-2015 20:16:51.853 loading configuration from '\/etc\/namedb\/named.conf'\r\n29-Sep-2015 20:16:51.855 using default UDP\/IPv4 port range: [49152, 65535]\r\n29-Sep-2015 20:16:51.855 using default UDP\/IPv6 port range: [49152, 65535]\r\n29-Sep-2015 20:16:51.856 listening on IPv4 interface em0, 195.134.157.20#53\r\n29-Sep-2015 20:16:51.858 listening on IPv4 interface lo0, 127.0.0.1#53\r\n[...]\r\n29-Sep-2015 20:16:51.891 command channel listening on 127.0.0.1#953\r\n29-Sep-2015 20:16:51.891 not using config file logging statement for logging due to -g option\r\n29-Sep-2015 20:16:51.892 managed-keys-zone: loaded serial 0\r\n29-Sep-2015 20:16:51.893 redirect-zone: loaded serial 2014060401\r\n29-Sep-2015 20:16:51.907 zone 157.x.x.in-addr.arpa\/IN: loaded serial 2007020101\r\n29-Sep-2015 20:16:51.912 zone xxx.ch\/IN: loaded serial 2007020101\r\n29-Sep-2015 20:16:51.929 zone yyy.ch\/IN: loaded serial 2007020101\r\n29-Sep-2015 20:16:51.930 all zones loaded\r\n29-Sep-2015 20:16:51.933 running\r\n<\/pre>\n
What is the meaning of these BIND log messages?<\/a><\/p>\n