DNS server
bind9 DNS server
bind9 view 做分割
- spec
- 外網無法詢問內部 dns record
- 內網可以查詢外網及內網 dns record
1 | acl internal { |
- 讓內網查詢外網 dns record
- insert
$INCLUDE /etc/bind/forward.rogerdeng.net.dbintointernal.rogerdeng.net.db
- insert
DNSSEC
- 產生 KSK
dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE <ZONENAME>
- 產生 ZSK
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE <ZONENAME>
- 將 KSK 與 ZSK 的 record 放入 zonefile
cat *.key >> <ZONEFILE>
- 簽署 zonefile
dnssec-signzone -u -o rogerdeng.net -k <KSK.key> <ZONEFILE> <ZSK.key>
- 指定 zonefile.signed
1
2
3
4
5
6
7view "external-view" {
match-clients { external; };
zone "rogerdeng.net" {
type master;
file "/etc/bind/forward.rogerdeng.net.db.signed";
};
}; - 產生 DS record 放入上層 dns server
dnssec-dsfromkey <KSK.key>rogerdeng.net. IN DS 10246 8 2 FB2C50A9AB6561B75D7033DDA209E2C8BBEF7138274F325691DAD456582EAAF8
setup Auto DNSSEC
- Edit
/etc/bind/named.conf.options1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21view "internal-view" {
match-clients { internal; };
zone "rogerdeng.net" {
type master;
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
file "/etc/bind/internal.rogerdeng.net.db";
};
};
view "external-view" {
match-clients { external; };
zone "rogerdeng.net" {
type master;
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
file "/etc/bind/forward.rogerdeng.net.db";
};
};
AppArmor 可能會擋掉對於 key 的存取
警告:AppArmor 可能會擋掉對於 key 的存取!!
sudo vim /etc/apparmor.d/usr.sbin.named1
2add:
/etc/bind/keys/** rw,sudo systemctl restart apparmor
注意權限設置
sudo chown -R bind:bind /etc/bind/keyssudo chmod -R 755 /etc/bind/keys
重新簽署
rndc signing -list rogerdeng.netsudo systemctl restart bind9
Check DNSSEC
dig +dnssec <DOMAIN> @<DNS_SERVER>