Ubuntu Server Chapter 8 DNS Service

Principles of Domain Name Resolution#

The notes were rewarded last week, happy. These are the two articles that I worked hard to update last week.

The content of this chapter is about DNS service. In the remote management chapter, PUTTET is used, and the Hosts file is used to point the domain name to the other party's IP. In fact, DNS is already involved.

DNS (Domain Name Service) Chinese domain name system is responsible for the conversion between domain names and IP. The character string "wuhash.com" used to visit the website is called a domain name. As mentioned in the chapter on network fundamentals, computers communicate using IP addresses. In order to solve the problem of increasing IP and memory difficulties, DNS appeared. Think of it as an address book, which records the correspondence between domain names and IPs.

We know that IPv4 addresses have dried up, and the age of IPv6 has begun to come.

When we talk about the [domain name resolution] (https://cloud.tencent.com/product/cns?from=10680) system, in most cases it refers to DNS. Why do I say that? In small local area networks, there is usually another domain name resolution service, Microsoft's WINS.

The usual www.wuhash.com is called FQDDN (Fully Qualified Domain Name), which is the general name of the domain plus the computer name, www is the host name, and wuhash.com is the domain. DNS is a distributed system, and servers are scattered all over the world. Each DNS server maintains its own database, which stores corresponding records. The structure of the entire DNS is as follows:

Since the DNS server corresponding to each domain does not have DNS records for all domains, when a query is requested, the request will first be forwarded to the root domain, and the root domain will be delegated to the target domain level by level. At present, the root domain is managed by ICANN.

There are also different types of records. The following figure shows the analysis of Dnspod:

Here are just some commonly used records, and there are some more to understand

DNS query structure##

This section will introduce the application and deployment details of DNS

There are three DNS server roles in a domain: master domain name server (Master DNS), secondary domain name server (Slave DNS), and cache server (Cache DNS)

In the home network, the typical network structure is the optical fiber provided by the optical modem uplink operator, and the wireless AP or switch of the home LAN is connected downstream. Optical modem dial will get an IP, DNS and other information. The DNS here is actually the Cache DNS server provided by the operator. If no additional configuration is performed, the DNS obtained by the host DHCP of the LAN is the LAN port IP of the optical modem or wireless AP. When the LAN IP is used as DNS, the client's DNS request is proxied (forward-Forward). If a DNS address is used directly, the DNS request will be sent directly to the set server.

So what happens after the DNS request is sent to the predefined server

It can be seen that in the DNS request process, the process from the client to the local server is called recursive query, and the process from the root server to the query with the server by the local server is called iterative query.

DNS service installation##

When the number of users within an enterprise reaches a certain scale, optimizing network traffic becomes a problem. One way is to build your own DNS server to reduce the forwarding volume of DNS requests at the border gateway and free up more bandwidth. Next time I see a chance to write the DNS Server of Win Server, here is the introduction to the DNS service establishment under Ubuntu. The most widely used DNS server software is BInd (Berkeley Internet Name Domain), which supports multiple platforms. The default use TCP 53/UDP 53 port for service. The client uses UDP port 53 when querying the service, and the TCP port is used for synchronization and data transmission between the primary and secondary DNS. In a special case, after the client sends a DNS query request, the total length of the received response exceeds 512 bytes, and then uses TCP to resend the query request.

sudo apt install bind9 dnsutils #Commands such as the test tool dig host nslookup come from the dnsutils package
cat /etc/bind/db.root #This file already contains 13 root logical domain name server addresses distributed all over the world. There are IPv4 addresses and even IPv6 addresses in no hurry. There is a question here. Are 13 root logical domain name server addresses enough to represent only 13 root domain name server addresses? No, the 13 IPs are anycast IPs, which actually correspond to the anycast mirror points of the physical server. IP will route the route to your nearest corresponding node.
ll /usr/sbin/named #Main program file
cat /etc/bind/named.conf #Main configuration file, the entrance to many configuration files
/etc/bind/named.conf.options #Configure DNS forwarding server to become a cache DNS server
/etc/bind/named.conf.local #The file that defines the internal zone
/etc/bind/named.conf.default-zones #The file that defines the zone

sudo vim /etc/bind/named.conf.options
acl "local"{10.10.10.10/24;
} # Specify the allowable DNS request network segment
options {
 recursion yes; #Allow recursion
 listen-on {10.10.10.131;}; #Specify the listening network card
 // forwarders {//  8.8.8.8} #Specify the DNS server for forwarding
}; # Note that I did not show all the configuration here, only the modified part

zone "sina.com.cn"{
 type forward;
 forwarders {1.1.1.1;};};#Define zone forwarding,"sina.com.cn"The host record under the domain will be forwarded to 1.1.1.1

After the above configuration file is configured, you can use a host under the same network to set it as a DNS test. It is recommended to use wireshark to view packet verification during this process.

Although the DNS server is configured, DNS still needs to be specified in the network card configuration. For more information about the specific root domain server, you can check here. If you want to deploy the DNS server on the public network, it is recommended to disable recursive queries outside this domain.

Alternative to Bind##

Configure Master Server###

DNS is a system that resolves the conversion between domain names and IP. We define FQDN to IP as forward resolution, and IP resolution as fqdn as reverse resolution. The configuration here is forward analysis.

Configuration Environment

sudo vim /etc/bind/named.conf.local 
zone "example.com"{
 type master;
 file "/etc/bind/db.example.com";};

cd /etc/bind/
cp db.local db.example.com

sudo vim db.example.com
@ IN NS ns  #Modify the configuration at the end of the file to the corresponding host record
@ IN A 10.10.10.130
ns IN A 10.10.10.130 #ns record must be added, otherwise an error will be reported
www IN A 10.10.10.130 #Host record
# Let me explain here that multiple A record addresses can be added to the same host record to achieve the effect of load balancing. Note that the DNS caching mechanism will affect the experimental resolution results. Use "ifconfig" under windows/flushdns" to clear the cache.

sudo named-checkconf    #Check the configuration file
sudo named-checkzone example.com /etc/bind/db.example.com #Check zone file
sudo systemctl restart bind9  #Restart service
sudo systemctl status bind9 #Check status

I will not open other virtual machine verification here, and use the tools under Kali to test.

dig example.com  @10.10.10.131 ANY #Specify the DNS server as 10.10.10.131, query all records
nslookup -qt=A example.com 10.10.10.131 #Specify the DNS server as 10.10.10.131. Querying records of type A does not mean that dig cannot be checked. Both tools can be used

Reverse analysis configuration####

After the FQDN configuration is complete, configure the reverse zone. Remember that one of the records in the record type is an MX record, you can set the mailbox server address (about the construction of the mailbox server, we will introduce it later), and create a zone named "example.com" earlier, we can use "example.com" "Send mail out. There is a problem here? In fact, I don’t own the "example.com" domain name. How can I verify my authenticity when the recipient receives me? The role of reverse analysis is reflected.

cd /etc/bind/
sudo vim named.conf.local #Create a new zone
zone "10.10.10.in-addr.arpa"{ 
 type master;
 file "/etc/bind/db.10.10.10";}; #Above in-In the addr part, the address is the reverse order of the parsed network segment. I am here because the address is special.
cp 

cp db.127 db.10.10.10
sudo vim db.10.10.10 #Other configurations are not introduced too much, here is a big pit, do not write a point after FQDN, named-Checkzone can’t detect errors, but the configuration can’t be effective
@ IN  NS ns.example.com.130 IN     PTR example.com.

Verify under kali linux

dig -x 10.10.10.130 @10.10.10.131 #Use the dig command to reverse the analysis, if the configuration is correct, you can see the corresponding PTR record

Configure Slave DNS Server##

Redundancy is a constant topic. The configuration of the Slave DNS server is very necessary. There is not necessarily only one Slave. The modification record is only operated on the Master. The Slave server is notified to synchronize through the version number (Serial, which can only be modified manually). For security reasons, the server should globally prohibit zone transfer (synchronize all DNS records in the domain), and only allow the designated IP and the SLave server in the designated zone to perform zone transfer. Zone transfer: apply to transfer all DNS records. Zone transfer can occur between DNS servers or between the client and the DNS server.

dig @10.10.10.130 example.com axfr #Zone transfer is not prohibited, you can use this command to fetch all records

Modify files on the Master DNS server

sudo vim named.conf.options
options {
allow-transfer {none;};}; #Insert this line in options
sudo systemctl restart bind9 
sudo systemctl status bind9

Then I use the dig command on Kali to find that the zone transfer is not possible

sudo vim named.conf.local #The priority of the local configuration file is due to options
allow-transfer {10.10.10.130;};
# Add the IP that can be transferred to the zone in the zone and the reverse zone,

The previously configured ns record was also modified accordingly, "10.10.10.133" is a machine I linked clone.

Below is the configuration on the slave server

sudo vim /etc/bind/named.conf.options #Linked clone, file also exists
listen-on {10.10.10.133;}; #Modify the network card address configured as Slave, and keep the rest of the configuration unchanged
sudo vim named.conf.local
zone "example.com"{
 type slave;
 file "db.example.com";
 masters {10.10.10.131;};};
zone "10.10.10.in-addr.arpa"{
 type slave;
 file "db.10.10.10";
 masters {10.10.10.131;};};#Pay attention to the file and type of the file file

sudo systemctl restart bind9 
sudo systemctl status bind9

cd /var/cache/bind #Sync cache location, encrypted
sudo grep bind /var/log/syslog #Check the system log about bind, which can be excluded
# Here the author did not synchronize to the cache for the first few times in the experiment, use"sudo systemctl status bind9"It was found that the master reported an error, and the synchronization was successful after checking the modification.

Use dig [email protected] to verify under kali, and the record result obtained is the same as "10.10.10.131". Modify the resolution record and update the version number in the master DNS configuration file, and restart the service. If the configuration is correct, the modified result will also be synchronized. It is recommended to add this configuration in Master's local to get faster synchronization.

sudo vim named.conf.local
zone "example.com"{
 type master;
 file "/etc/bind/db.example.com";
 allow-transfer {10.10.10.133;};
 Also-notify {10.10.10.133;}; #Added configuration
};
zone "10.10.10.in-addr.arpa"{
 type master;
 file "/etc/bind/db.10.10.10";
 allow-transfer {10.10.10.133;};
 Also-notify {10.10.10.133;}; #Added configuration
};

Afterword##

Written here, the wrist really can't hold it, and tenosynovitis can't really hurt it. The sore neck may be related to my sitting posture. The content of the next chapter is a bit scary, so I try to make it a week later.

Reference link##

DNS Bind service configuration resolution

Ubuntu Server from entry to master

Getting started with DNS principles

Chapter 7 DNS & bind from basic to in-depth

Recommended Posts

Ubuntu Server Chapter 8 DNS Service
Ubuntu Server Chapter 3 Package Management
Ubuntu Server Chapter 7 Remote Management
DNS service construction under Ubuntu
Ubuntu Server Chapter 2 Command Line Basics
Ubuntu startup service
Centos7 build DNS service
ubuntu install nginx server
Deploy FTP server under ubuntu
[Linux] Build Samba server (ubuntu16.04)
Install OpenSSL 1.0.2 on Ubuntu Server 14.04
ubuntu 16.04 build pptpd V** server
Configure tomcat on ubuntu server
Open SSH service under Ubuntu
Server upgrade Ubuntu 20.04 LTS record
Build Ubuntu 12.04 cross compilation server
Server upgrade Ubuntu 20.04 LTS record
Open SSH service under Ubuntu
Ubuntu server builds Java web server
Ubuntu deploys squid proxy server
Initial setup of Ubuntu 16.04 server
Ubuntu16.04 build GitLab server tutorial
Build Nginx-RTMP live server on ubuntu
Install Chef server workstation on Ubuntu 18.04
Ubuntu16.04 build php5.6 Web server environment
MySQL connected to remote Ubuntu server
Install Ubuntu 18.04 server with kvm virtualization
Build a file server on ubuntu
Use Ubuntu 16.04 for initial server setup
Install Oracle 11gR2 on Ubuntu Server 12.4.0
Ubuntu18 restart docker service failed memo
Ubuntu19.10 open ssh service (detailed process)