Configuring forwarding to the DNS server. DNS redirect domain - what is it? Entries in the zone file
Hello everyone today has time to decide to write this post how to set up a domain redirection on Nic.ru. This is an article from the cycle of articles about domains and domain names. What is a domain redirection or as it is also called Forwarding Domain. If, this is when you, for example, you appeal to Pyatilistnik .. For what it is necessary for the mass options, the simplest you changed the address of the domain, but you want those people who do not know about it yet, when trying to go to the old name, they got again to You, and did not receive a window with an error that the site was not found and went. Nic.ru This is one of the Russian registrars who provides its customers. this service.
To perform this task, you already have to have a personal account and at least one bought domain. We go to the menu or DNS service, redirection, Gomobi
Choose a domain redirection for 150 rubles and indicate the domain name that you want to redirect.
We click to send an order after it is starting about the board on the setting.
The service can only work if your domain is delegated. To delegate the domain, DNS servers are required that could tell users of the Internet information about your domain (zone). Such servers should be two or more.
If you use the DNS server included in the Domain Redirection Service, the necessary records are automatically entered.
You can also specify DNS servers yourself depending on the domain level for which the redirection service is ordered:
- for a second level domain (for example, Web-Forward.ru): ns3-fwl2.nic.ru
ns4-fwl2.nic.ru.
ns8-fwl2.nic.ru.- for the third level domain (for example, Test.Web-Forward.ru): ns3-fwl3.nic.ru
ns4-fwl3.nic.ru.
ns8-fwl3.nic.ru.- for the fourth level domain (for example, forum.eng.web-forward.ru): ns3-fwl4.nic.ru
ns4-fwl4.nic.ru.
ns8-fwl4.nic.ru.- for the fifth level domain (for example, www.forum.eng.web-forward.ru): ns3-fwl5.nic.ru
ns4-fwl5.nic.ru.
ns8-fwl5.nic.ru.
When using your DNS servers, you need to enter the domain zone file on the primary DNS server (PRIMARY) records A. Within one redirection service for the domain itself and any of its subdomains, you must specify the same IP address.
Depending on the level of the domain for which the redirection service is ordered, the records A must be as follows:
- for a second level domain (for example, Web-Forward.ru): Web-Forward.ru. A 109.70.27.4.
- for the third level domain (for example, Test.Web-Forward.ru): Test.Web-Forward.ru. A 109.70.27.5.
- for the fourth level domain (for example, Forum.Eng.Web-Forward.ru): Forum.Eng.Web-Forward.ru. A 109.70.27.6.
- for the fifth level domain (for example, www.forum.eng.web-forward.ru): www.forum.eng.web-forward.ru. A 109.70.27.7
Go to B. personal Cabinet to the item my domains
And we see the redirection settings for our domain.
If you wish, you can change them. That's just right to adjust the redirection of the domain on Nic.ru. I advise you to read
- Transfer
Attentive reader will find on this picture IPv6
People are often puzzled by domains. Why does my site not work? Why this crap is broken, nothing helps, I just want it to work! Usually, questioning or does not know about DNS, or does not understand fundamental ideas. For many DNS - a terrible and incomprehensible thing. This article is an attempt to dispel such fear. DNS is simplyIf you understand several basic concepts.
What is DNS.
DNS. deciphered as DOMAIN NAME SYSTEM.. This is a global distributed key storage and values. Servers around the world can provide you with a key value, and if they are unknown the key, they will ask for help from another server.
That's all. Truth. You or your browser requests the value for the key www.example.com, and receives 1.2.3.4 in response.
Basic pieces
The big plus DNS is that this is a public service, and you can park in the server if you want to figure it out. Let's try. I have a domain petekeen.net, which is located on the web01.bugsplat.info machine. Commands used below can be launched from command line OS X ( oh, that is, MacOS, - approx. Per.).
Let's take a look at the mapping between the name and address:
$ Dig Web01.bugsplat.info.
Dig Team This is such a Swiss army knife for DNS requests. Cool, multifunctional tool. Here is the first part of the answer:
; <<>\u003e Dig 9.7.6-P1<<>\u003e Web01.bugsplat.info ;; Global Options: + cmd ;; Got Answer: ;; - \u003e\u003e Header.<<- opcode: QUERY, status: NOERROR, id: 51539 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
There is only one interesting detail here: information about the very query. It is said that we requested the record and got exactly one answer. Here:
;; Question Section :; Web01.bugsplat.info. In A.
dig default requests a -Prip. A. address (address), and this is one of the fundamental types of records in DNS. A contains one IPv4-address. There is an equivalent for IPv6-Press - AAAA. Let's take a look at:
;; ANSWER SECTION: Web01.bugsplat.info. 300 in a 192.241.250.244
The remaining part of the answer describes the answer itself:
;; Query Time: 20 MSEC ;; Server: 192.168.1.1 # 53 (192.168.1.1) ;; WHEN: FRI JUL 19 20:01:16 2013 ;; MSG Size RCVD: 56
In particular, here it says how long the server responded from which server IP-address (192.168.1.1), on what port did Dig (53, DNS-port by default), when the request was completed and how many bytes were in response.
As you can see, with the usual DNS request there is a bunch of everything. Each time you open a webpage, the browser makes dozens of such requests, including to download all external resources like pictures and scripts. Each resource is responsible for at least one new DNS request, and if DNS was not designed for strong caching, then traffic would be generated very much.
But in this example, it is not seen that the DNS server 192.168.1.1 has contacted a bunch of other servers to respond to a simple question: "Where does the address of the Web01.BugSplat.info address indicate?". Let's start the trace to learn about the entire possible chain that Dig will have to go if the information was not soldered:
$ Dig + Trace Web01.BugSplat.info;<<>\u003e Dig 9.7.6-P1<<>\u003e + trace web01.bugsplat.info ;; Global Options: + CMD. 137375 IN NS L.ROOT-SERVERS.NET. . 137375 IN NS M.ROOT-SERVERS.NET. . 137375 in ns a.root-servers.net. . 137375 IN NS B.ROOT-SERVERS.NET. . 137375 in ns c.root-servers.net. . 137375 IN NS D.ROOT-SERVERS.NET. . 137375 IN NS E.ROOT-SERVERS.NET. . 137375 IN NS F.ROOT-SERVERS.NET. . 137375 IN NS G.ROOT-SERVERS.NET. . 137375 IN NS H.ROOT-SERVERS.NET. . 137375 IN NS I.ROOT-SERVERS.NET. . 137375 In NS j.root-servers.net. . 137375 IN NS K.ROOT-SERVERS.NET. ;; Received 512 bytes from 192.168.1.1 # 53 (192.168.1.1) in 189 MS info. 172800 in ns c0.info.afilias-nst.info. info. 172800 in ns a2.info.afilias-nst.info. info. 172800 IN NS D0.INFO.AFILIAS-NST.ORG. info. 172800 IN NS B2.INFO.AFILIAS-NST.ORG. info. 172800 IN NS B0.INFO.AFILIAS-NST.ORG. info. 172800 in ns a0.info.afilias-nst.info. ;; Received 443 bytes from 192.5.5.241 # 53 (192.5.5.241) in 1224 MS Bugsplat.info. 86400 in NS NS-1356.Awsdns-41.org. bugsplat.info. 86400 in NS NS-212.Awsdns-26.com. bugsplat.info. 86400 in NS NS-1580.awsdns-05.co.uk. bugsplat.info. 86400 IN NS NS-911.AWSDNS-49.NET. ;; Received 180 Bytes from 199.254.48.1 # 53 (199.254.48.1) in 239 MS Web01.bugsplat.info. 300 in a 192.241.250.244 Bugsplat.info. 172800 in NS NS-1356.Awsdns-41.org. bugsplat.info. 172800 in NS NS-1580.awsdns-05.co.uk. bugsplat.info. 172800 in NS NS-212.Awsdns-26.com. bugsplat.info. 172800 in NS NS-911.Awsdns-49.net. ;; Received 196 bytes from 205.251.195.143 # 53 (205.251.195.143) in 15 MS
Information is displayed in the hierarchical sequence. Remember how Dig inserted the point. After the host, web01.bugsplat.info? So, point. This is an important detail, and it means the root of the hierarchy.
Root DNS servers are serviced by various companies and states around the world. Initially there were few, but the Internet was growing, and now there are 13 pieces. But each of the servers have tens or hundreds of physical machines that are hiding over one IP.
So, at the very top of the trace there are root servers, each is defined using NS recording. NS-recording links a domain name (in this case, the root domain) with the DNS server. When you register the domain name from the NameCheap or Godaddy type registrar, they create NS -Capts for you.
In the next block, it can be seen how Dig chose a random root server, and requested a -Pister for the Web01.bugsplat.info. Only the root server IP address is seen (192.5.5.241). So what kind of root server it was? Let's find out!
$ Dig -X 192.5.5.241;<<>\u003e Dig 9.8.3-P1<<>\u003e -x 192.5.5.241 ;; Global Options: + cmd ;; Got Answer: ;; - \u003e\u003e Header.<<- opcode: QUERY, status: NOERROR, id: 2862 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;241.5.5.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 241.5.5.192.in-addr.arpa. 3261 IN PTR f.root-servers.net.
The -X flag causes DIG to reverse search by IP address. DNS meets the PTR record, which connects the IP and host, in this case - f.root-servers.net.
Returning to our initial request: the root server F returned another set of NS servers. It is responsible for the top level domain info. Dig requests from one of these servers to record a for web01.bugsplat.info, and receives another set of NS servers in response, and then requests from one of these Servers Recording a for Web01.bugsplat.info. . And finally, gets the answer!
UV! It would have generated a lot of traffic, but almost all of these records were long soldered by each server in the chain. Your computer also caches this data as your browser. Most often, DNS requests never reach root servers, because their IP addresses almost never change ( "Probably all the same we are talking about a large TTL for recordings in their base. If the DNS server of the IP address never changed at all, it does not mean that its base is forever stolen " - approx. from RRRAV). Top-level domains com, net, org, etc. Also usually strongly soldered.
Other types
There are some more types that you should know about. The first is MX. It connects a domain name with one or more mail servers. Email is so important that she has its own DNS record. Here are MX values \u200b\u200bfor petekeen.net:
$ Dig Petekeen.net MX;<<>\u003e Dig 9.7.6-P1<<>\u003e petekeen.net mx ;; Global Options: + cmd ;; Got Answer: ;; - \u003e\u003e Header.<<- opcode: QUERY, status: NOERROR, id: 18765 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;petekeen.net. IN MX ;; ANSWER SECTION: petekeen.net. 86400 IN MX 60 web01.bugsplat.info. ;; Query time: 272 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Jul 19 20:33:43 2013 ;; MSG SIZE rcvd: 93
Note that MX-recording indicates the name, and not to the IP address.
Another type that you most likely sign is CNAME. Decipher as Canonical Name. (canonical name). He connects one name with another. Let's look at the answer:
$ Dig www.petekeen.net;<<>\u003e Dig 9.7.6-P1<<>\u003e www.petekeen.net ;; Global Options: + cmd ;; Got Answer: ;; - \u003e\u003e Header.<<- opcode: QUERY, status: NOERROR, id: 16785 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.petekeen.net. IN A ;; ANSWER SECTION: www.petekeen.net. 86400 IN CNAME web01.bugsplat.info. web01.bugsplat.info. 300 IN A 192.241.250.244 ;; Query time: 63 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Jul 19 20:36:58 2013 ;; MSG SIZE rcvd: 86
Immediately it is clear that we received two answers. The first says that www.petekeen.net indicates the Web01.bugsplat.info. The second returns the record A for that server. We can assume that CName is a pseudonym (or alias) for another server.
What's wrong with cname
CNAME records are very useful, but there is an important point: if there is a CNAME with some name, then you cannot create another entry with the same name. Neither MX, nor a, nor NS, nothing.
The reason is that DNS makes a replacement in such a way that all records of the place where CNAME indicates is also valid for CNAME. In our example, www.petekeen.net records and Web01.bugsplat.info will coincide.
Therefore, it is impossible to make CNAME on the root domain like petekeen.net, because we usually need other records there, for example, MX.
Requests to other servers
Let's imagine that the DNS configuration is spoiled. It seems to you that you have corrected the problem, but do not want to wait when the cache is updated to make sure. With Dig, you can make a request to a public DNS server instead of your default, like this:
$ Dig www.petekeen.net @ 8.8.8.8
The @ symbol with the IP address or host causes Dig to navigate the request to the specified server through the default port. You can use a public DNS server of the Google or the almost public-server LEVEL 3 at 4.2.2.2.
Typical situations
Let's consider typical situations familiar to many web developers.
Domain Redirect on WWW
Often you need to make a redirect domain domain iskettlemanstillopen.com at www.iskettlemanstillopen.com. NameCheap or DNSimple type registrars call it URL REDIRECT.. Here is an example from the NameCheap admin:
The @ symbol means the root domain iskettlemanstillopen.com. Let's look at the record a for this domain:
$ dig iskettlemanstillopen.com ;; Question Section:; IskettlemanStillopen.com. In a ;; Answer Section: IskettlemanStillopen.com. 500 in a 192.64.11998
This IP belongs to the namecheap "y, and there is a small web server, which simply makes redirecting at the HTTP level to http://www.iskettlemanstillopen.com:
$ CURL -I ISkettlemanStillopen.com Curl -i IskettlemanStillopen.com HTTP / 1.1 302 Moved Temporarily Server: Nginx Date: FRI, 19 Jul 2013 23:53:21 GMT Content-Type: Text / Html Connection: Keep-Alive Content-Length : 154 Location: http://www.iskettlemanstillopen.com/
CNAME for Heroku or GitHub
Take a look at the screenshot above. On the second line there is CNAME. In this case, www.iskettlemanstillopen.com indicates an application running on Heroku.
$ Heroku Domains \u003d\u003d\u003d Warm-Journey-3906 Domain Names Warm-Journey-3906.herokupp.com www.iskettlemanstillopen.com
With GitHub, a similar story, but there you need to create a special file in the root of the repository, and call it CNAME. See .dns documentation Add Tags
Each site has a domain name on the Internet (URL). This is the address on which your site is located.
If you have no domain name, you can buy it from any domain name registrar (for example, Nic.ru).
To start the site on the OKSOFT platform, you need to send A-records of your domain to our IP address.
Check your site's IP can
* To redirect a domain, you must use your personal account of the domain name registrar (when buying a domain you are accessible).
In the settings of the DNS servers you need to change or add two entries:
A-record for a domain without www: @ A 95.213.177.34
A-record for a domain with www:wWW A 95.213.177.34
Also, some registrars allow you to set the settings for the IP6 protocol:
AAAA-record for a domain without www: @ AAA 2A00: AB00: 4300: 15C ::
AAAA-record for a domain with www:wWW AAAA 2A00: AB00: 4300: 15C ::
Changes come into force for several hours (from 4)
Check whether changes come into force:
Call the command prompt in your computer;
Dial ping Your domain name with www and press ENTER
Dial ping Your domain name without wwwand press ENTER
Both lines must give an answer to the right IP.
Instructions for nic.ru.
To change the list of DNS servers, follows:
Go to the section "For customers" at http://www.nic.ru/;
Specify the number of your contract and password;
Select the menu "Services" - "DNS hosting" - "Order of the New Service";
Choose a minimum rate, click "Continue":
Enter the DNSOKSOFT identifier, click "Continue", then "order":
Replenish the account for the desired amount, wait for delegation;
Select from the menu item "Services. View and change data ยป;
Find the desired service (domain registration);
In the "Parameters" column, in the DNS Domain Servers list, follow the link "Change";
On the right in the menu, mark the item "DNS-Master";
Add posts:
Select from the menu item "Services. DNS management zones ";
Press "DNS management zones";
Choose a domain;
Press + Add a new entry "and add two entries:
Wait for changes to force (about 4 hours)
An example of a list of records:
* If there are questions, it is necessary to contact the technical support of the domain name registrar, asking to help redirect the domain
What is DNS. DATA OF UPDATE DNS records. How to get started with the new domain. Types of DNS records. How to configure automatic subdomains. Proper redirection to the address without WWW at the beginning.
What is DNS.
The Internet is a network connecting millions of computers worldwide. Some computers in this network are included around the clock - these are servers with sites and email. Each computer when connected to the Internet, a numeric identifier is assigned - an IP address. But access to servers on numerical identifier people are not convenient, therefore, alphabetic domains were introduced.
DNS (DOMAIN NAME SYSTEM) is a system that ensures the compliance of domains IP addresses. For the storage of DNS records on the Internet, a separate server class is responsible - the NS server. Some of them are supported by the administrators of domain zones, other - hosters and Internet providers. These servers have their own hierarchy, and records are not updated on servers not immediately: on some - very quickly, on others - for a couple of days. The most popular Software for NS servers is called Bind.
DATE OF UPDATE DNS records
Complete question from beginners - when a new domain earns. Let's try to answer and at the same time we will deal with whether it is possible to speed up this process somehow.
So you want a new domain to start working. To do this, add records in DNS and wait until they spread through the Internet. The update time of the records ranges from several hours to three days. Restrictions are caused by the principles of DNS, which is a distributed and high-loaded system.
After registering a domain, or shift DNS entries, your site will be available for various users at different times, depending on the features of their Internet providers. That is, the site can be still unavailable for you, and for someone is available. Or vice versa. This is due to the fact that each Internet provider itself determines the DNS cache update time on its servers.
As for subdomains, it is often when they are created, they become available either immediately or within 5-20 minutes (entries should be updated on Hoster NS servers).
How to get started with the new domain
If you have registered a domain, or changed DNS records, and you urgently need to start working with the site, you can add one line to the hosts file of your operating system (in Windows file is located at C: \\ Windows \\ System32 \\ Drivers \\ etc, folder The default is hidden, and you must enable the display of hidden folders in the control panel):
xXX.XXX.XXX.XXX SITE.RU.
where xxx.xxx.xxx.xxx - server IP address, Site.ru - the domain name of your site.
Types of DNS records
For a domain to start working, you need to set several DNS records for it.
Record NS. Need to specify a DNS server serving your domain. The services of their DNS server can offer a domain registrar or hosting provider. Another option is to configure your own NS server, and use it.
Record A. Need to specify the IP address of your site. The IP address provides your hosting provider.
AAAA record Used to specify IP address version 6 (IPv6). At the moment, these addresses have not yet received widespread support.
Record MX. Specifies the IP address of your email server. Need to deliver mail to your domain mailboxes.
Record CName. It is used to specify one domain as an address of another domain, that is, sets your domain or subdomain the same IP address as the domain, the link to which you specify in the record.
PTR recording - This is a reverse record that will allow when requesting the IP address of your site, get a full domain name. It is important if you are using a mail server for a domain, since the correctness of the PTR record is verified by many mail servers (to determine if the letter is spam). This entry establishes a hosting provider. You can check the correctness of the recording using a special service. Often there are no problems, and the record is initially installed correctly.
How to configure automatic subdomains for each user. Creating WildCard DNS records
WildCard Recording is the DNS record responsible for all subdomains * .site.ru. Specifying such a record may be needed, for example, for CMS (WordPressMU, Drupal) used to control the subdomains.
To create such a record, you need to go to the DNS records section of the DNS records of the domain and add a type A record as a subdomain to specify the * character *, and as an address - the IP address of the server, often the coincident with the IP address specified for the main domain. If you fail to do this, you need to contact technical support.
At the same time, we consider how to configure Apache to work with WildCard subdomains. Suppose in the server configuration file there is a section describing a virtual host:
Documentroot "/home/site.ru"
ServerName "Site.ru"
Serveralias "www.site.ru"
ErrorLog Logs / Site.ru-error.log
CustomLog Logs / Site.ru-Access.log Common
You only need to add a pseudonym * .site.ru:
Serveralias "www.site.ru" "* .site.ru"
Proper redirection with www.site.ru on site.ru. Redirect 301.
Part of the users refers to your site by adding to the www address. Other wwws do not add. This can negatively affect promotion in search engines. Eliminating the problem on the example of the Apache server:
1. Make sure that the ModrewRite module is turned on on the server: in the httpd.conf file, the LoadModule Rewrite_Module Modules / mod_rewrite.so file should be unchanged. If you turned it on, then restart Apache.
2. Add the following lines to file.htaccess, replacing the site.ru address of your site:
RewriteEngine ON.
RewriteCond% (http_host) ^ www.site.ru $
3. Try to enter the site using the address www.site.ru in the browser address bar. The address must change on site.ru.
4. Can be added to file.htaccess strings:
RewriteCond% (http_host)! ^ Site \\ .ru $
Rewriterule ^ (. *) $ Http://site.ru/$1
This will make it possible to correctly process requests to your site when the end of the domain is the point: Site.ru. Instead of Site.ru.
We hope the article helped to obtain an idea of \u200b\u200bworking with domains. Questions and comments please leave in the comments.
DNS (DOMAIN NAME SYSTEM) is important and quite complicated in the configuration component required for the work of websites and servers. Many users refer to DNS servers that provide their hosting provider, but its own DNS servers have some advantages.
In this manual, you will learn how to install BIND9 and configure it as a caching or redirect DNS server on the Ubuntu 14.04 server.
Requirements
- Understanding the basic types of DNS servers. You can familiarize yourself with the details.
- Two cars from which at least one works on Ubuntu 14.04. The first machine will be configured as a client (IP address 192.0.2.100), and the second is like a DNS server (192.0.2.1).
You will learn to configure the client machine to send requests through the DNS server.
Caching DNS server
This type servers are also called determinants, since they process recursive requests and, as a rule, can search for DNS data not other servers.
When the caching DNS server tracks the answer to the client's request, it returns the answer to the client, and also saves it in the cache during the period of time permitted by the TTL value of the corresponding DNS records. Then the cache can be used as a source of responses to subsequent requests to speed up the overall query processing time.
Almost all DNS servers in your network configuration will be cached. The caching DNS server is a good choice for many situations. If you do not want to rely on the DNS servers of your hosting provider or other publicly available DNS servers, configure your own caching DNS server. The smaller the distance from the DNS server to client machines, the less time the service time is the DNS requests.
Redirect DNS server
From the client's point of view, the redirecting DNS server will look almost identical to the caching server, but they have completely different mechanisms and workload.
The redirecting DNS server has the same advantages as the caching server. However, in fact, he does not fulfill a single recursive request. Instead, it redirects all requests for an external allowing server, and then caches the results for subsequent requests.
This allows the redirect server to serve requests from its cache without processing recursive requests. Thus, this server is handled only single queries (redirected customer requests), and not the entire recursion procedure. It may be an advantage in limited external bandwidth environments in which you want to often change caching servers, and in situations where you need to redirect local requests for one server, and external ones to another.
1: Install Bind on DNS server
The Bind package can be found in the Ubuntu official repository. Update the package index and install the BIND using the APT manager. You also need to install a pair of dependencies.
sudo Apt-Get Update
Sudo Apt-Get Install Bind9 BIND9UTILS BIND9-DOC
After that, you can start setting the server. The caching server configuration can be used as a template for setting up a redirect server, so you first need to configure the caching DNS server.
2: Setting the caching DNS server
First you need to configure Bind as a caching DNS server. This configuration will make the server recursively search for answers to client requests on other DNS servers. It will consistently interview all the corresponding DNS server until it finds the answer.
BIND configuration files are stored in the / etc / bind directory.
Most of the files are not needed. The main configuration file is called Named.Conf (Named and Bind - two names of one application). This file refers to the Named.conf.Options files, named.conf.local and named.conf.default-zones.
To configure the caching DNS server you need to edit only Named.conf.Options.
sudo Nano Named.conf.Options.
This file looks like this (comments are omitted for simplicity):
options (
Directory "/ var / cache / bind";
DNSSEC-VALIDATION AUTO;
listen-on-v6 (any;);
};
To configure the caching server, you need to create a list of access control, or ACL.
You need to protect the DNS server processing recursive queries, from intruders. DNS-gain attacks are especially dangerous because they can involve the server into distributed attacks on the refusal of maintenance.
DNS gain attacks is one of the ways to stop the operation of servers and sites. For this, attackers are trying to find publicly accessible DNS servers that process recursive requests. They fake the IP address of the victim and send a request that the DNS server will return a very surround answer. At the same time, the DNS server returns too much data to the sacrifice server in response to a small request, increasing the affordable cargo capacity of the attacker.
To accommodate a publicly accessible recursive DNS server, careful configuration and administration is required. To prevent the server hacking, configure a list of IP addresses or network bands that the server can trust.
Before the Options block, add an ACL block. Create a label for the ACL group (in this manual, the group is called GoodClients).
aCL GoodClients (
};
Options (
. . .
In this block, list the IP addresses or networks that will have access to this DNS server. Since the server and client work in subnet / 24, you can restrict access on this subnet. You also need to unlock Localhost and Localnets that are connected automatically.
aCL GoodClients (
192.0.2.0/24;
Localhost;
Localnets;
};
Options (
. . .
Now you have ACL secure customers. You can proceed to setting up queries permission in the Options block. Add to it such lines:
options (
Directory "/ var / cache / bind";
recursion YES;
. . .
The OPTIONS block explicitly includes recursion, and then configures the Allow-Query parameter to use the ACL list. You can also use another parameter for reference to the ACL group, for example, Allow-Recursion. With the Allow-Recursion recursion enabled, will determine the list of clients that can use recursive services.
However, if the Allow-Recursion parameter is not set, BIND returns to the Allow-Query-Cache list, then to the Allow-Query list and, finally, to the default Localnets and localhost lists. Since we only customize the caching server (it does not have its own zones and does not forward requests), the list of Allow-Query will always be applied only to recursion. This is the most general way to determine the ACL.
Save and close the file.
These are all the settings you need to add to the configuration file of the caching DNS server.
Note: If you want to use only this type of DNS, go to the configuration check, restart the service and configure your client.
3: Setting up a redirect DNS server
If your infrastructure is more suitable for a redirect DNS server, you can adjust the setting a bit.
At the moment, the file named.conf.options looks like this:
aCL GoodClients (
192.0.2.0/24;
Localhost;
Localnets;
};
Options (
Directory "/ var / cache / bind";
Recursion YES;
Allow-Query (GoodClients;);
DNSSEC-VALIDATION AUTO;
AUTH-NXDOMAIN NO; # Conform to rfc1035
listen-on-v6 (any;);
};
You can use the same ACL list to limit the DNS server to a specific client list. However, it is necessary to change the configuration slightly so that the server is no longer trying to perform recursive requests.
Do not change the value of Recursion on No. The redirect server is still supported by recursive services. To configure a redirect server, you need to create a list of caching servers to which it will redirect requests.
This is done in the Options () block. First, you need to create a new block forwarders in it, where the IP addresses of recursive name servers will be stored, which you want to redirect requests. In this case, Google DNS servers will be (8.8.8.8 and 8.8.4.4):
. . .
Options (
Directory "/ var / cache / bind";
Recursion YES;
Allow-Query (GoodClients;);
forwarders (
8.8.8.8;
8.8.4.4;
};
. . .
As a result, the configuration looks like this:
aCL GoodClients (
192.0.2.0/24;
Localhost;
Localnets;
};
Options (
Directory "/ var / cache / bind";
Recursion YES;
Allow-Query (GoodClients;);
Forwarders (
8.8.8.8;
8.8.4.4;
};
fORWARD ONLY;
DNSSEC-VALIDATION AUTO;
AUTH-NXDOMAIN NO; # Conform to rfc1035
listen-on-v6 (any;);
};
The last change concerns the DNSSEC parameter. With the current configuration, and depending on the configuration of DNS servers, which are redirected to requests, such errors may appear in the logs:
Jun 25 15:03:29 Cache Named: Error (Chase Ds Servers) Resolving "In-adr.arpa/ds/in": 8.8.8.8 # 53
Jun 25 15:03:29 Cache Named: Error (No Valid DS) Resolving "111.111.111.111.in-addr.arpa/ptr/in": 8.8.4.4 # 53
To avoid them, you need to change the value of the DNSSEC-Validation parameter on YES and explicitly resolve DNSSEC.
. . .
FORWARD ONLY;
dnssec-enable yes;
DNSSEC-VALIDATION YES;
AUTH-NXDOMAIN NO; # Conform to rfc1035
. . .
Save and close the file. Setting up a redirect DNS server is complete.
4: Checking the settings and restart Bind
Now you need to make sure that the settings are working properly.
To check the syntax of configuration files, enter:
sudo Named-Checkconf
If there are no errors in files, the command line will not display any output.
If you received an error message, correct it and repeat the check.
After that, you can restart the BIND daemon to update the settings.
sudo Service Bind9 Restart
After you need to check the server logs. Run the command to the server:
sudo Tail -F / Var / Log / Syslog
Now open the new terminal and proceed to setting up the client machine.
5: Customer Setup
Enter the client machine. Make sure the client is specified in the ACL group of a configured DNS server. Otherwise, the DNS server will refuse to serve the requests of this client.
Edit the /etc/resolv.conf file to send the server to the name server.
Changes made here will be saved only before rebooting, which is great for testing. If the test settings are satisfied, you can make these settings permanent.
Open a file using Sudo in a text editor:
sudo Nano /etc/Resolv.conf.
In the file you need to list the DNS servers that will be used to resolve requests. To do this, use the NameServer directive. Commit all current recordings and add a NameServer string indicating your DNS server:
nameServer 192.0.2.1
# NameServer 8.8.4.4.
# NameServer 8.8.8.8.
# NameServer 209.244.0.3
Save and close the file.
Now you can send a test request to make sure that it is allowed correctly.
To do this, you can use ping:
ping -C 1 Google.com
Ping Google.com (173.194.33.1) 56 (84) Bytes of Data.
64 bytes from SEA09S01-IN-F1.1E100.net (173.194.33.1): ICMP_SEQ \u003d 1 TTL \u003d 55 TIME \u003d 63.8 MS
--- Google.com Ping Statistics ---
1 Packets Transmitted, 1 Received, 0% Packet Loss, Time 0ms
RTT Min / AVG / MAX / MDEV \u003d 63.807 / 63.807 / 63.807 / 0.000 MS