1 / 18

DNS(BIND) Server Configuration

DNS(BIND) Server Configuration. By 林逸祥 (Yi-Hsiang Lin) 2002/1/8 @CISCC. OUTLINE. Hardware requirements Named startup Configuration files Example. Hardware requirements. BIND is a memory hog. New features of BIND9 also CPU intensive(most notably DNSSEC & IPv6)

halil
Download Presentation

DNS(BIND) Server Configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS(BIND) Server Configuration By 林逸祥(Yi-Hsiang Lin) 2002/1/8 @CISCC

  2. OUTLINE • Hardware requirements • Named startup • Configuration files • Example

  3. Hardware requirements • BIND is a memory hog. • New features of BIND9 also CPU intensive(most notably DNSSEC & IPv6) • BIND 9 is multithreaded and can make full use of multiprocessor systems. • Watch the size of named process to determine if a name server has enough memory PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 17399 root 6 59 0 12M 12M sleep 17:21 0.30% named

  4. Named startup • Started at boot time, runs continuously • Use a command-line interface:ndc or rndc(BIND 9)ndc commandwhich command can be start, stop, restart, reload, status • Should be started before syslogd • Do not use inetd to manage named

  5. Configuration files(1/2) • /etc/named.conf (in BIND 8 and 9) • Comments: /* */ , // , # • Each statement begins with a keyword • An address match list can include:IP/IP with netmask/acl name/key/!E.g. { ! 1.2.3.13; 1.2.3.24; }; { 140.113/16; 127.0.0.1; };PS. “first match” algorithm

  6. Configuration files(2/2)Statement types in named.conf

  7. The include statement • include “path”; • Put different portion of the configuration in separate files • The path is relative • Protect cryptographic keys not world-readable

  8. The options statement(1/4) • options { option; option; … }; • BIND 8 had 30 /BIND 9 has over 50

  9. The options statement(2/4) • version “string”; [real version of server] • directory “path”; [where server started] • notify yes | no; [yes] • also-notify svrs_ips; [empty] • recursion yes | no; [yes] • allow-recursion { add_list }; [all hosts]

  10. The options statement(3/4) • check-names { master|slave|response action}valid name letters, numbers, dashes,no longer than 64c per componect, total 256cdefault:master: fail-log and reject bad namesslave: warn-log bad names, but continue processingresponse: ignore-do not checking • transfer-format one-answer | many-answers;

  11. The options statement(4/4) • listen-on port ip_port address_match_list; [53 all] • query-source address ip_addr port ip_port; [random] • forwarders { in_addr; in_addr; …}; [empty] • forward only | first; [first] • allow-query {address_match_list; }; • allow-transfer {address_match_list;}; • blackhole {address_match_list;}

  12. The acl statement • Acl acl_name { address_match_list}; • Must be a top-level statement(one pass) • Predefined lists:any, localnets, localhost, none

  13. The server statement • server ip_addr { bogus yes | no; [no] provide-ixfr yes| no; [yes(V9 only)) request-ixfr yes| no; [yes(V9 only)] support-ixfr yes|no; [no(V8 only)] transfers number; [2(V9 only)] transfer-format one-answer|many-answers; [V8: one, V9: many] keys { key-id; key-id; … };};

  14. The logging statement • Logging { channel_def; channel_def; … category category_name { channel_name; channel_name; … }; • “most configurable logging system on Earth”

  15. The zone statement • zone “domain_name” { type master|slave|stub|hint|forward; file “path”; allow-query {address_match_list; }; allow-transfer {address_match_list; }; allow-update {address_match_list; };};

  16. The key/trusted-keys statement • key key-id { algorithm string; secret string;}; for authentication with a particular server • trusted-keys { domain flags protocol algorithm key; domain flags protocol algorithm key; …}; for DNSSEC security, specified in RFC2065.

  17. The controls statement • controls { inet ip_addr port port# allow { address_match_list|key…}; unix permission owner group; [0600 0 0]} • Specifies how ndc controls a running named process

  18. The view statement • view view-name { match-clients { address_match_list }; view_option; … zone_statement; …}; • New feature of BIND 9 • Split DNS

More Related