Скачать презентацию DNS with Linux on z VM generous guest naming Скачать презентацию DNS with Linux on z VM generous guest naming

4b0536a636ee919ff86bfb4ceacf4464.ppt

  • Количество слайдов: 29

DNS with Linux on z/VM generous guest naming names Rick Troth rogue programmer <rmt@casita. DNS with Linux on z/VM generous guest naming names Rick Troth rogue programmer http: //www. casita. net/ VM Workshop, 2017 June The Ohio State University

Disclaimer The content of this presentation is informational only. The reader or attendee is Disclaimer The content of this presentation is informational only. The reader or attendee is responsible for his/her own use of the concepts and examples presented herein. In other words: Your mileage may vary. “It Depends. ” Results not typical. Actual mileage will probably be less. Use only as directed. Do not fold, spindle, or mutilate. Not to be taken on an empty stomach. Refrigerate after opening. 2

Easy DNS with z/Linux This is Rick's own system External DNS for Casita. Net Easy DNS with z/Linux This is Rick's own system External DNS for Casita. Net runs on z/Linux Dunno Dyn. DNS, but we're interactive Inside -vs- Outside, does it matter? Hardening is hard, so see some pitfalls DNSSEC looms 3

about: rick Unix for 30+ years Linux since 0. 99 (circa 1993) VM/SP (and about: rick Unix for 30+ years Linux since 0. 99 (circa 1993) VM/SP (and following) since 1981 Obsessed with source-based systems Previous jobs: SSL stack, z/VM, Linux Day job is data sec … it's all about trust 4

The Small World of Casita. Net pk sb sv gc co gt nl sd The Small World of Casita. Net pk sb sv gc co gt nl sd cc 5

Berkeley Internet Name Domain Berkeley Internet Name Daemon, 'named' BIND 9 – long time Berkeley Internet Name Domain Berkeley Internet Name Daemon, 'named' BIND 9 – long time current family BIND 10 – ISC new and improved family 6

DNS at Casita. Net /var/named/master/casita. net /var/named/master/192. 168. 29 /var/named/master/2604: 8800: 12 b “internal” DNS at Casita. Net /var/named/master/casita. net /var/named/master/192. 168. 29 /var/named/master/2604: 8800: 12 b “internal” DNS has complete domain “external” DNS has partial IPv 4 PTR records valid internally (NAT) IPv 6 PTRs meaningful everywhere 7

Forward DNS at Casita. Net $TTL 4 H @ IN SOA @ root@casita. net. Forward DNS at Casita. Net $TTL 4 H @ IN SOA @ [email protected] net. ( 2011071300 7200 3600000 86400 ) IN A 192. 168. 29. 1 IN AAAA 2604: 8800: 12 b: : b IN NS jeremiah. casita. net. main IN A 192. 168. 29. 1 jeremiah IN A 192. 168. 29. 11 jeremiah IN AAAA 2604: 8800: 12 b: : b nehemiah IN A 192. 168. 29. 12 nehemiah IN AAAA 2604: 8800: 12 b: : c culdesac IN A 192. 168. 29. 26 culdesac IN AAAA 2604: 8800: 12 b: : 1 a 8

IPv 4 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN 29. IPv 4 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN 29. 168. 192. IN-ADDR. ARPA. SOA @ [email protected] net. ( 2008063000 21600 3600000 86400 ) IN NS jeremiah. casita. net. 11 IN PTR jeremiah. casita. net. 12 IN PTR nehemiah. casita. net. 26 IN PTR culdesac. casita. net. 9

IPv 6 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN b. IPv 6 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN b. 2. 1. 0. 0. 0. 8. 8. 4. 0. 6. 2. ip 6. arpa. SOA @ [email protected] net. ( 2011072400 21600 3600000 86400 ) IN NS jeremiah. casita. net. b. 0. 0. 0 IN PTR jeremiah. casita. net. c. 0. 0. 0 IN PTR nehemiah. casita. net. a. 1. 0. 0. 0 IN PTR culdesac. casita. net. 10

demos 11 demos 11

DNS Record Types SOA – start of authority (“@” means “here”) A, AAAA – DNS Record Types SOA – start of authority (“@” means “here”) A, AAAA – address NS – name server CNAME – alias, nickname MX – mail exchanger TXT – free-form text PTR – pointer (to name, from address) 12

DNSSEC Domain Name System Security Extensions Crypto Signing of Internet Domain Data 13 DNSSEC Domain Name System Security Extensions Crypto Signing of Internet Domain Data 13

DNSSEC Record Types RRSIG – resource record signature DNSKEY – public key of signer DNSSEC Record Types RRSIG – resource record signature DNSKEY – public key of signer DS – delegation signer NSEC – next secure record https: //en. wikipedia. org/wiki/ Domain_Name_System_Security_Extensions 14

Config file /etc/named. conf options { directory Config file /etc/named. conf options { directory "/var/named"; listen-on-v 6 { any; }; pid-file "/var/run/named. pid"; forwarders { 68. 94. 156. 10; 68. 94. 157. 10; }; }; First stanza, sans comments 15

Config file /etc/named. conf logging { category default { log_syslog; }; channel log_syslog { Config file /etc/named. conf logging { category default { log_syslog; }; channel log_syslog { syslog; }; }; “hints” We'll come back to that. zone ". " in { type hint; file "root. hint"; }; 16

Config file /etc/named. conf zone Config file /etc/named. conf zone "localhost" in { type master; file "localhost. zone"; }; zone "0. 0. 127. in-addr. arpa" in { type master; file "127. 0. 0. zone"; }; 17

Config file /etc/named. conf zone Config file /etc/named. conf zone "casita. net" in { type master; file "master/casita. net"; allow-update { none; }; allow-transfer { none; }; }; Note: Master vs Slave 18

Config file /etc/named. conf zone Config file /etc/named. conf zone "29. 168. 192. in-addr. arpa" in { type master; file "master/192. 168. 29"; allow-update { none; }; allow-transfer { none; }; }; Contains PTR Records 19

Config file /etc/named. conf zone Config file /etc/named. conf zone "b. 2. 1. 0. 0. 0. 8. 8. 4. 0. 6. 2. ip 6. arpa" in { type master; file "master/2604: 8800: 12 b"; allow-update { none; }; allow-transfer { none; }; }; Contains PTR Records 20

Config file /etc/named. conf zone Config file /etc/named. conf zone "BITNET" IN { type master; file "master/bitnet"; allow-update { none; }; allow-transfer { none; }; notify yes; }; 21

about: filenames Filename extensions are a Good Thing But …. zone, . db, why about: filenames Filename extensions are a Good Thing But …. zone, . db, why bother? Colons: problem for Windows, NTFS, *FAT /var/named/master/domain 22

Alternative DNS root Standard set is root-servers. net Alternate set is orsn-servers. eu Modify Alternative DNS root Standard set is root-servers. net Alternate set is orsn-servers. eu Modify your “hint” file http: //www. orsn. org/roothint/root-hint. txt Like rolling your own Linux distro, anyone can do it. 23

BIND, not bondage Berkeley Internet Name Daemon … on SUSE: zypper install bind … BIND, not bondage Berkeley Internet Name Daemon … on SUSE: zypper install bind … on Clef. OS, Cent. OS, RH: yum install bind … on Debian, Ubuntu: apt-get install bind 9 24

BYOB Build your own BIND http: //ftp. isc. org/isc/bind 9/9. 11. 1/ bind-9. 11. BYOB Build your own BIND http: //ftp. isc. org/isc/bind 9/9. 11. 1/ bind-9. 11. 1. tar. gz. asc Download, un-tar. /configure ; make install 25

Chicory (Portable Apps) Rick's Rules for /usr/opt wrapper make source make verify make config Chicory (Portable Apps) Rick's Rules for /usr/opt wrapper make source make verify make config make install make distclean. /setup 26

DNS servers in the house Guest of z/VM Ideal service virtual machine role Guest DNS servers in the house Guest of z/VM Ideal service virtual machine role Guest of KVM/Xen/any, container, physical Sub-domains needing agile management Dev/test/tinker/hobby/staging BIND “DB files” are easy 27

NORD Project – please help Not trying to start a distro … http: //www. NORD Project – please help Not trying to start a distro … http: //www. casita. net/nord http: //www. casita. net/chicory … just change the world.

Thank You http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. odp http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. ppt Thank You http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. odp http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. ppt