
4b0536a636ee919ff86bfb4ceacf4464.ppt
- Количество слайдов: 29
DNS with Linux on z/VM generous guest naming names Rick Troth rogue programmer
Disclaimer The content of this presentation is informational only. The reader or attendee is responsible for his/her own use of the concepts and examples presented herein. In other words: Your mileage may vary. “It Depends. ” Results not typical. Actual mileage will probably be less. Use only as directed. Do not fold, spindle, or mutilate. Not to be taken on an empty stomach. Refrigerate after opening. 2
Easy DNS with z/Linux This is Rick's own system External DNS for Casita. Net runs on z/Linux Dunno Dyn. DNS, but we're interactive Inside -vs- Outside, does it matter? Hardening is hard, so see some pitfalls DNSSEC looms 3
about: rick Unix for 30+ years Linux since 0. 99 (circa 1993) VM/SP (and following) since 1981 Obsessed with source-based systems Previous jobs: SSL stack, z/VM, Linux Day job is data sec … it's all about trust 4
The Small World of Casita. Net pk sb sv gc co gt nl sd cc 5
Berkeley Internet Name Domain Berkeley Internet Name Daemon, 'named' BIND 9 – long time current family BIND 10 – ISC new and improved family 6
DNS at Casita. Net /var/named/master/casita. net /var/named/master/192. 168. 29 /var/named/master/2604: 8800: 12 b “internal” DNS has complete domain “external” DNS has partial IPv 4 PTR records valid internally (NAT) IPv 6 PTRs meaningful everywhere 7
Forward DNS at Casita. Net $TTL 4 H @ IN SOA @ root@casita. net. ( 2011071300 7200 3600000 86400 ) IN A 192. 168. 29. 1 IN AAAA 2604: 8800: 12 b: : b IN NS jeremiah. casita. net. main IN A 192. 168. 29. 1 jeremiah IN A 192. 168. 29. 11 jeremiah IN AAAA 2604: 8800: 12 b: : b nehemiah IN A 192. 168. 29. 12 nehemiah IN AAAA 2604: 8800: 12 b: : c culdesac IN A 192. 168. 29. 26 culdesac IN AAAA 2604: 8800: 12 b: : 1 a 8
IPv 4 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN 29. 168. 192. IN-ADDR. ARPA. SOA @ root@casita. net. ( 2008063000 21600 3600000 86400 ) IN NS jeremiah. casita. net. 11 IN PTR jeremiah. casita. net. 12 IN PTR nehemiah. casita. net. 26 IN PTR culdesac. casita. net. 9
IPv 6 Reverse DNS at Casita. Net $TTL 4 H $ORIGIN @ IN b. 2. 1. 0. 0. 0. 8. 8. 4. 0. 6. 2. ip 6. arpa. SOA @ root@casita. net. ( 2011072400 21600 3600000 86400 ) IN NS jeremiah. casita. net. b. 0. 0. 0 IN PTR jeremiah. casita. net. c. 0. 0. 0 IN PTR nehemiah. casita. net. a. 1. 0. 0. 0 IN PTR culdesac. casita. net. 10
demos 11
DNS Record Types SOA – start of authority (“@” means “here”) A, AAAA – address NS – name server CNAME – alias, nickname MX – mail exchanger TXT – free-form text PTR – pointer (to name, from address) 12
DNSSEC Domain Name System Security Extensions Crypto Signing of Internet Domain Data 13
DNSSEC Record Types RRSIG – resource record signature DNSKEY – public key of signer DS – delegation signer NSEC – next secure record https: //en. wikipedia. org/wiki/ Domain_Name_System_Security_Extensions 14
Config file /etc/named. conf options { directory "/var/named"; listen-on-v 6 { any; }; pid-file "/var/run/named. pid"; forwarders { 68. 94. 156. 10; 68. 94. 157. 10; }; }; First stanza, sans comments 15
Config file /etc/named. conf logging { category default { log_syslog; }; channel log_syslog { syslog; }; }; “hints” We'll come back to that. zone ". " in { type hint; file "root. hint"; }; 16
Config file /etc/named. conf zone "localhost" in { type master; file "localhost. zone"; }; zone "0. 0. 127. in-addr. arpa" in { type master; file "127. 0. 0. zone"; }; 17
Config file /etc/named. conf zone "casita. net" in { type master; file "master/casita. net"; allow-update { none; }; allow-transfer { none; }; }; Note: Master vs Slave 18
Config file /etc/named. conf zone "29. 168. 192. in-addr. arpa" in { type master; file "master/192. 168. 29"; allow-update { none; }; allow-transfer { none; }; }; Contains PTR Records 19
Config file /etc/named. conf zone "b. 2. 1. 0. 0. 0. 8. 8. 4. 0. 6. 2. ip 6. arpa" in { type master; file "master/2604: 8800: 12 b"; allow-update { none; }; allow-transfer { none; }; }; Contains PTR Records 20
Config file /etc/named. conf zone "BITNET" IN { type master; file "master/bitnet"; allow-update { none; }; allow-transfer { none; }; notify yes; }; 21
about: filenames Filename extensions are a Good Thing But …. zone, . db, why bother? Colons: problem for Windows, NTFS, *FAT /var/named/master/domain 22
Alternative DNS root Standard set is root-servers. net Alternate set is orsn-servers. eu Modify your “hint” file http: //www. orsn. org/roothint/root-hint. txt Like rolling your own Linux distro, anyone can do it. 23
BIND, not bondage Berkeley Internet Name Daemon … on SUSE: zypper install bind … on Clef. OS, Cent. OS, RH: yum install bind … on Debian, Ubuntu: apt-get install bind 9 24
BYOB Build your own BIND http: //ftp. isc. org/isc/bind 9/9. 11. 1/ bind-9. 11. 1. tar. gz. asc Download, un-tar. /configure ; make install 25
Chicory (Portable Apps) Rick's Rules for /usr/opt wrapper make source make verify make config make install make distclean. /setup 26
DNS servers in the house Guest of z/VM Ideal service virtual machine role Guest of KVM/Xen/any, container, physical Sub-domains needing agile management Dev/test/tinker/hobby/staging BIND “DB files” are easy 27
NORD Project – please help Not trying to start a distro … http: //www. casita. net/nord http: //www. casita. net/chicory … just change the world.
Thank You http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. odp http: //www. casita. net/vmworkshop/2017/presentations/ troth-vmworkshop-dns-2017. ppt