4. DNS http://www.isc.org/sw/bind/

4.1 Документация

• FAQ
• Настройка bind
• DNS-HOWTO
• DNS - ДОМЕННАЯ СЛУЖБА ИМЕН
• Руководство по настройке DNS сервера (BIND)
• BIND version 8.x
• DNS Extensions
• Bind vulnerabilities
• Secure BIND Template Version 3.6
• Статья "Securing DNS (Linux version)"
• Минимум необходимых усилий по защите DNS
• BEST DEFENSE | Beyond Ipchains
• DNS - Linux/
• Chroot для DNS
• Альтернатива bind - DJDNS [Источник]
• Самый быстрый DNS
• Настройка named (BIND/ name server). Кэширующий сервер, slave и master
• Observations of malformed dns messages - 29 Sept-20 Oct 2003 [Bugtraq]
• Attacking the DNS Protocol Security Paper [Bugtraq]
• Веб-интерфейс к DNS серверу [forum.opennet.ru]
• Защита сервера DNS[LinuxRSP.Ru: рассылка #289]
• Документация по настройке DNS[tcp.spb.ru]
• Secure BIND Template Version 4.1 17 NOV 2003
• Как правильно разместить DNS-сервер[ comp.soft.linux.linuxbegin]
• Bind9arm
• DNS как средство преодоления защиты [BugTraq: Обозрение #183, 03.08.2004]
• DHCP+DNS по шагам[comp.soft.linux.linuxbegin: Выпуск #1 (#63)]
• Secure the BIND Configuration [forum.opennet.ru]
• SETTING UP YOUR OWN DNS [comp.mail.sendmail]
• Basic DNS PTR Records And Why You Care [comp.mail.sendmail]
• How Reverse DNS Works or, "Almost a Reverse DNS FAQ" [comp.mail.sendmail]
• DNS/BIND: Create a basic zone file [comp.mail.sendmail]
• Setting up inverse DNS for SBC/Pacific*Bell Internet [comp.mail.sendmail]
• DNS Resources Directory
• Если убежал серийный номер зоны...
• This site will provide you with a DNS report for your domain
• O'Reilly DNS & BIND (4th ed)
• However, having multiple PTR records for the same IP address is generally not recommended unless there is a specific need... Multiple PTR records can cause a couple of problems, including triggering bugs in programs that only expect there to ever be a single PTR record and, in the case of a large webserver, having hundreds of PTR records can cause the DNS packets to be much larger than normal.
• About multiple PTRs. It is possible for there to be multiple PTRs at a single reverse tree node. In extreme cases, these multiple PTRs could cause a DNS response to exceed the UDP limit, and fall back to TCP or otherwise exceed the DNS protocol limits. Such a case could be one where the advantages of reverse mapping are exceeded by the disadvantages of the additional burden. This may be of particular significance for "mass virtual hosting" systems, where many hostnames are associated with a single IP.
• Does anyone know of an RFC that discusses this (hopefully, in our favor that multiple PTRs for the same IP is not a good thing). They are not a good idea because they don't scale. In the past large web hosters attempted to put a PTR record for every virtual site on their servers. This ends up exceeding the limits of normal query resolution support. You get truncated TCP responses. You have to resort to AXFR to retrieve the PTR records. The DNS does not impose a order on returned records. If you have multiple PTR records and you are trying to do access control by name the application has to either list all the names (if it looks at h_name) or try all the aliases. Not all lookup mechanism supply all the names which inturn leads to maintenance issues on the access lists. Think of PTR records in the reverse tree as returning the canonical name of the machine. Usually this would be the name the machine knows itself as (fully qualified). If you do this you won't break the API's for returning the name of the machine based on the address
  RFC1035 describes PTR records as a bit more general than just as pointing to IPs. Rather, they merely point to other places in the DNS hierarchy. The fact that they are mostly only used in reverse zones with an IP's octet is kind of incidental from the RFC's point of view.
• DNS for Rocket Scientists This Open Source Guide is about DNS and (mostly) BIND 9.x on Linux (Fedora Core), BSD's (FreeBSD, OpenBSD and NetBSD) and Windows (Win 2K, XP, Server 2003). It is meant for newbies, Rocket Scientist wannabees and anyone in between.
• RFC1912. Common DNS Operational and Configuration Errors. [Источник]
  4.1 Boot file setup
  Certain zones should always be present in nameserver configurations:
  primary localhost localhost
  primary 0.0.127.in-addr.arpa 127.0
  primary 255.in-addr.arpa 255
  primary 0.in-addr.arpa 0
  These are set up to either provide nameservice for "special" addresses, or to help eliminate accidental queries for broadcast or local address to be sent off to the root nameservers. All of these files will contain NS and SOA records just like the other zone files you maintain, the exception being that you can probably make the SOA timers very long, since this data will never change.
  The "localhost" address is a "special" address which always refers to the local host. It should contain the following line:
  localhost. IN A 127.0.0.1
  The "127.0" file should contain the line:
  1 PTR localhost.
  There has been some extensive discussion about whether or not to append the local domain to it. The conclusion is that "localhost." would be the best solution. The reasons given include:
  "localhost" by itself is used and expected to work in some systems.
  Translating 127.0.0.1 into "localhost.dom.ain" can cause some software to connect back to the loopback interface when it didn't want to because "localhost" is not equal to "localhost.dom.ain".
  The "255" and "0" files should not contain any additional data beyond the NS and SOA records.
  Note that future BIND versions may include all or some of this data automatically without additional configuration.
  

4.2 Анализируем логи named

• О чем говорит "WWW.N3T.COM.BR." в unmatched-логах named'a .
• О чем может говорить "no more recursive clients: quota reached " в логах named'a.
• Многочисленные сообщения " named[486]: sysquery: no addrs found for root NS () " [forum.opennet.ru]
• Сообщение в /var/log/messages: process `named' is using obsolete setsockopt SO_BSDCOMPAT
• Gate named[343]: denied update from [192.168.0.48].1029 for "0.168.192.in-addr.arpa" IN (необходимо разотметить опцию "Протокол Интернета (TCP|IP) -> Свойства -> Дополнительно -> ДНС -> зарегистрировать адреса этого подключения в ДНС" на клиентских станциях ) [www.opennet.ru]
• Сообщение process `named' is using obsolete setsockopt SO_BSDCOMPAT
• Сообщения named, появляющиеся после апгрейда ядра:

20-Dec-2005 13:33:26.763 general: error: socket.c:1115: unexpected error:
20-Dec-2005 13:33:26.764 general: error: internal_send: 62.76.90.40#1040: Invalid argument
20-Dec-2005 13:33:26.764 client: warning: client 62.76.90.40#1040: error sending response: invalid file
• 05-Feb-2009 10:12:48.359 client 89.149.221.182#59334: query: . IN NS +

4.3 Задачки

• Можно ли сделать так, чтобы при запросе одного доменного имени DNS сервер анализировал ip адреса того, кто запрашивает, и в зависимости от этого выдавал разные ip-адреса? [forum.opennet.ru]
pid-file "/etc/bind/named.pid"; dump-file "/var/log/cache_dump.db"; statistics-file "/var/log/named_stats.txt"; memstatistics-file "/var/log/named_mem_stats.txt"; options { directory "/etc/bind"; pid-file "/etc/bind/named.pid"; dump-file "/var/log/cache_dump.db"; statistics-file "/var/log/named_stats.txt"; memstatistics-file "/var/log/named_mem_stats.txt"; rndc dumpdb -cache rndc stats вообщем, rndc --help http://www.linux.org.ru/forum/admin/5884932?lastmod=1297235946523

4.4 Правильно ли настроен ваш днс-сервер?

• Проверка коннективности. Network Tools.
• 05-Feb-2009 10:12:48.359 client 89.149.221.182#59334: query: . IN NS +
• Тест. Отвергает ли ваш днс запросы к зоне "." (точка, т.е. корневым NS-серверам) .
• Обсуждение DNS queries for the name server of the domain "." (NS query for a single dot).
• rndc не запускается, выдавая сообщение:
  rndc: connection to remote host closed
  This may indicate that
  * the remote server is using an older version of the command protocol,
  * this host is not authorized to connect,
  * the clocks are not synchronized, or
  * the key is invalid.
  А скорее всего у вас отсутствует rndc.conf, либо на него установлены неверные права.
  У меня выставлены следующие права: -rw-rw-r-- 1 gson wheel 522 Mar 12 21:32 rndc.conf.
  gson - это пользователь, под которым запущен named, группа wheel - это пользователь root + пользователь-администратор.
• Как уменьшить прожорливостьна маломощном сервере ? (Ответ: перекомпилировать без threads) [www.linux.org.ru]

4.5 DNS-сервер т-о-р-м-о-з-ии-ттт ...

• Проблема именно в наличии двух ДНС-серверов в ДМЗ, когда у одного из них два айпишника. Структура сети была такова, что при потребности разрешить имя из другого домена, днс-запрос посылался второму серверу, где формировался ответ и пытался вернуться на второй айпишиник первого днс-сервера %), начиналась какая-то котовасия (плюс между серверами стоит ASA) и в итоге порождался этакий DNS-шторм из DNS-запросов и ответов (как бы коряво это не звучало). Запретил встречные форварды и все! Опять загрузка ЦП порядка 0,1%. [forum.opennet.ru]
• Моя собственная проблема с тормозами DNS была в уровне логирования debug, который был включен накануне поздно вечером для отладки кое-каких моментов и благополучно забыт. Зато в на след. день, когда юзеры часов в 11 утра "проснулись", нарисовалась точно такая же картина, какую вы описываете. Кроме того запись на HDD на сист. блоке просто не гасла, named успел накрутить около 1Gb лога.

4.6 Полезное для установки bind

• ISC and OpenPGP - открытый ключ
• Download ISC Software
• BIND Documentation
• Frequently Asked Questions - BIND
• lists.isc.org Mailing Lists
• The bind-users Archives

4.7 Bind-9.7.2-P3

• Where is managed-keys.bind (managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found)? touch managed-keys.bind