DNS (BIND)

Deixe um comentário Ir para os comentários

*******************************************************************************
Instalar e Configurar o BIND9 no Debian 4.0 (Etch)
Criado por: Alessandro C. M. Kuramoto
Data: 07/08/2008
Modificado em: 01/03/2009-08:00
v.20090301-08:00
Palavras-chaves: DNS, bind9
Tags: DNS, bind9

If you want to know something about this file, send an e-mail to me at the
sancmk@gmail.com or post a comment here (at the Word Press)

moshi kono fairu no koto wo shiteitakatara, boku ni email wo okutte kudasai,
matawa kono Word Press ni chuushaku mo shitte ii desu.
boku no email wa sancmk@gmail.com desu

Por favor, matenham o nome do autor deste arquivo.
*******************************************************************************

# Ver o seguinte comando:
dnssec-configure

Servidores de DNS abertos:
208.67.220.220

###############################################################################
# Avisos!!!
###############################################################################

http://memovirtual.worpress.com

## Atenção no site memovirtual:
## As opções passadas com – - (menos,menos) no site podem ter ficado
## com um — (travessão), assim use o “man” para confirmar a opção utilizada

## Desculpem-me pelos erros de português, mas vocês sabem…
## nossa lingua é fácil… e às vezes ao escrever o pensamento está
## lá na frente, enquanto que a digitação…

|##########^ Avisos!!! #######################################################|

###############################################################################
# Temp:
###############################################################################
>Temp

|##########^ Temp ############################################################|

###############################################################################
# Servidor:
###############################################################################

SO:       Debian 4.0 Etch
Servidor: DNS
Serviço:  BIND

===============================================================================
Instalação básica (modo texto):
===============================================================================

RAM            512 MB

Swap             1 GB
/boot          100 MB
/                2 GB
/usr             3 GB
/var             5 GB

|==========^ Instalação básica (modo texto) ==================================|

===============================================================================
Dados para diferenciação: (Estudo de caso)
===============================================================================

### uname -a
uname -a
Linux ns1 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64 GNU/Linux

### free
free -m
total       used       free     shared    buffers     cached
Mem:           980        635        345          0         87        397
-/+ buffers/cache:        150        830
Swap:          956          0        956

|<<<<<<<<<<<<<< ==== Dados para diferenciação: (Estudo de caso) ====

### df
df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda4              12G  410M   12G   4% /
tmpfs                 491M     0  491M   0% /lib/init/rw
udev                   10M   56K   10M   1% /dev
tmpfs                 491M     0  491M   0% /dev/shm
/dev/sda2              95M   40M   55M  42% /boot
/dev/sda3             7.5G  1.6G  6.0G  21% /var

### du
du -sh /boot/
7.5M    /boot/

|==========^ Dados para diferenciação: (Estudo de caso) ======================|

|##########^ Servidor ########################################################|

###############################################################################
# Conceitos:
###############################################################################

===============================================================================
DNS:
===============================================================================

RR é o Resource Record (Registro de Recursos)
O cojunto de resource record com o mesmo nome de domínio , classe e tipo é
denominado RRSet.

Alguns tipos comuns de records:

SOA
NS
A
MX
CNAME

|<<<<<<<<<<<<<< #### Conceitos ####

===============================================================================
DNSSec:
===============================================================================

DNSKEY é a chave pública;
dig @ns.dominio.com.br DNSKEY dominio.com.br +multiline +dnssec
dig @ns.dominio.com.br DNSKEY dominio.com.br +multiline +dnssec

RRSIG é a assinatura do RRSet

|##########^ Conceitos #######################################################|

###############################################################################
# Instalando:
###############################################################################

## Atualizando a lista de pacotes:
sudo apt-get update

## Para instalar execute:
sudo apt-get install bind9

|##########^ Instalando ######################################################|

###############################################################################
# Configurando:                                                               #
###############################################################################

Parar o serviço do DNS:

/etc/init.d/bind9 stop

===============================================================================
Configurando ACLs no named.conf:
===============================================================================

_______________________________________________________________________________
Arquivo: /etc/bind/named.conf (Permissões: -rw-r–r– 1 bind bind)
——————————————————————


acl clientes {
localhost;
200.200.200.0/20;
10.0.0.0/8;
172.16.0.0/24;
};


|———-^ Arquivo: /etc/bind/named.conf ———————————–|

===============================================================================
Configurando o chroot:
===============================================================================

——————————————————————————-

Restringir o serviço ao diretório do chroot:

Editar /etc/default/bind9

Alterar a linha:

OPTIONS=”-u bind”

Para:

OPTIONS=”-u bind -t /var/lib/bind9″

——————————————————————————-

Criar a arvore de directorios do chroot:

mkdir /var/lib/bind9
mkdir -p /var/lib/bind9/etc
mkdir /var/lib/bind9/dev
mkdir -p /var/lib/bind9/var/cache/bind
mkdir -p /var/lib/bind9/var/run/bind/run
mv /etc/bind /var/lib/bind9/etc/bind

——————————————————————————-

Precaver algum problema com futuras atualizações:

ln -s /var/lib/bind9/etc/bind /etc/bind

——————————————————————————-

Criar os dispositivos necessários para o seu funcionamento:

mknod /var/lib/bind9/dev/null c 1 3
mknod /var/lib/bind9/dev/random c 1 8

——————————————————————————-

Acertar as permissões dos ficheiros:

chmod 666 /var/lib/bind9/dev/null /var/lib/bind9/dev/random
chown -Rv bind:bind /var/lib/bind9/var/*
chown -Rv bind:bind /var/lib/bind9/etc/bind

——————————————————————————-

Preparar o syslog para recolher os dados do log do bind:
Editar /etc/default/syslogd

Alterar a linha:

SYSLOGD=”-a /var/lib/bind9/dev/log”

——————————————————————————-

Reiniciar os serviços:

/etc/init.d/sysklogd restart
/etc/init.d/bind9 start

——————————————————————————-
===============================================================================
Configurando o dnssec:
===============================================================================
>DNSSec

(Fonte: http://registro.br/info/dnssec.html)

Para Configurar

Habilitar o DNSSec:

No bind 9.3 no Debian tem que habilitar a TAG “dnssec-enable yes;” na seção
“options” do arquivo /etc/bind/named.conf.options

_______________________________________________________________________________
SO: Debian
Arquivo: /etc/bind/named.conf.options (Permissões: -rw-r–r– 1 bind bind)
—————————————————————————
.
..

/*———————————————————–
* Habilita o DNSSec no BIND 9.3, atencao para o BIND 9.4 que
* deve usar outra linha.
*———————————————————-*/
dnssec-enable yes;
// Teste de desabilitar o DNSSec para algum dominio, não funcionou.
//      dnssec-must-be-secure “jfsr.jus.br” no;

//| Arquivo: /etc/bind/named.conf.options
// Para encontrar a chave do DNSSec: https://registro.br/ksk/index.html
//  Adicionara as chaves confiáveis do registro.br e dlv.isc.org
//key id = 18457 do registro.br
trusted-keys {
br.                     257 3 5
“AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJB
NmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPq
Xr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1N
GbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hN
x94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=”;

dlv.isc.org.         257 3 5
“BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh”;
};


..
.
|———-^ Arquivo: /etc/bind/named.conf.options —————————|

|<<<<<<<<<<<<<< ==== Configurando o dnssec ====

### Geração da chave KSK
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE dominio.com.br

|<<<<<<<<<<<<<< ==== Configurando o dnssec ====
### No arquivo de Zonas adicionar as chaves
### Inclusão da chave no arquivo de zona:
_______________________________________________________________________________
Arquivo: /etc/bind/db.dominio (Permissões: -rw-r–r– 1 bind bind)
SO: Debian 4.0
—————————————————————————

.
..

$include /etc/bind/Kdominio.com.br.+005+05524.key

|———-^ Arquivo: /etc/bind/db.dominio ———————————–|

|<<<<<<<<<<<<<< ==== Configurando o dnssec ====
### Assinar a zona:
dnssec-signzone -z -e 20100717170000 -o dominio.com.br /diretorio/nome_da_zona

### Opções:
# -z – Ignora o bit SEP da chave KSK e assina toda a zona
# -o – Nome da zona

### Editar o arquivo named.conf com o nome do novo arquivo de zona assinado;
_______________________________________________________________________________
SO: Debian 4.0
Arquivo: /etc/bind/named.conf (Permissões: -rw-r–r– 1 bind bind)
—————————————————————————

.
..

zone “dominio.com.br” in {
file “/etc/bind/db.dominio.signed”;
type master;
allow-transfer { 200.200.200.15; };
allow-query { any; };
};

..
.

|———-^ Arquivo: /etc/bind/named.conf ———————————–|

|<<<<<<<<<<<<<< ==== Configurando o dnssec ====
———————————————————-
### Erro:
dnssec-keygen: the key name was not specified

### Causa:
Faltou especificar o ZONE na opção “-n ZONE”

### Solução:
Especificado na opção o “-n ZONE”
|——————————————————–|

——————————————————————————-
### Erro:
dnssec-signzone: warning: No non-KSK dnskey found. Supply non-KSK dnskey or use ‘-z’.
/etc/bind/db.dominio.signed

### Causa:
Ao tentar assinar a zona pode aparecer o erro acima.

### Solução:
Assine a zona especificando a opção -z

|==========^ Configurando o dnssec ===========================================|

===============================================================================
Arquivo de zonas:
===============================================================================

Parâmetros do arquivo de zonas:
Refresh — This is the number of seconds between update requests from secondary and slave name servers.

###############################################################################
# RESOLVER:
###############################################################################

gethostbyname: Resolver Error 0 (no error)

|<<<<<<<<<<<<<< #### RESOLVER ####

|##########^ RESOLVER ########################################################|

###############################################################################
# Gerenciando o BIND:
###############################################################################

### Teste de transferência de zona:
dig @ns1.dominio.com.br dominio.com.br AXFR

|##########^ Gerenciando o BIND ##############################################|

###############################################################################
# Visualizar Logs:
###############################################################################

tail -f /var/log/syslog
tail -f /var/log/daemon.log

|<<<<<<<<<<<<<< #### Visualizar Logs ####

|##########^ Visualizar Logs #################################################|

###############################################################################
# Exemplos de Testes de Consultas:
###############################################################################

===============================================================================
Exemplos de testes de DNS recursivo:
===============================================================================

dig @ns1.dominio.com.br +trace +multiline www.terra.com.br

===============================================================================
Exemplos de testes de DNSSec:
===============================================================================

——————————————————————————-
Usando o whois primeiro:
—————————
…………………………………………………………………….
## É possível obter o DS da zona usando o whois
whois dominio.com.br
.
.
ds-record: 6928 RSA/SHA-1 CA7D9EE79CC37D8DC8011F33D330436DF76220D1
dsstatus:    20090330 DSOK
dslastok:    20090330
.
.
|……………………………………………………………………

whois jfrs.jus.br

|———-^ Usando o whois primeiro —————————————–|

dig – comando que faz consultas em servidores de DNS;

+bufsize=2500 – força uma consulta com tamanho de 2500 bytes
+dnssec       – faz uma consulta com dnssec
+multiline    – traz as linha organizadas em multiplas linhas
+tcp          – força a fazer a consulta usando TCP ao invés de UDP
@a.dns.br     – servidor consultado

dig br DNSKEY +dnssec +multiline +tcp

dig @a.dns.br br dnskey +multiline +dnssec +bufsize=2500

dig @200.248.53.141 jfrs.jus.br +multiline

## Para pesquisar o registro SOA:
dig @200.248.53.141 SOA jfrs.jus.br +multiline

## Para verificar se o domínio está assinado:
dig @200.248.53.141 SOA jfrs.jus.br +multiline +dnssec

## Para verificar se o
dig @200.248.53.141 SOA jfrs.jus.br any +multiline

dig @200.169.41.14 SOA dpf.gov.br any +multiline
;; Warning, extra type option
;; Truncated, retrying in TCP mode.

dig @200.169.41.14 SOA dpf.gov.br +dnssec any +multiline

## Fazendo a mesma consulta acima usando TCP:
dig @200.169.41.14 SOA dpf.gov.br +dnssec any +multiline +tcp

——————————————————————————-
dig @IP_DO_SERVIDOR_DNS_EXTERNO_LOCAL SOA jfrs.jus.br +dnssec +multiline

; <<>> DiG 9.6.1-P2 <<>> @IP_DO_SERVIDOR_DNS_EXTERNO_LOCAL SOA jfrs.jus.br +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60961
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jfrs.jus.br.        IN SOA

;; ANSWER SECTION:
jfrs.jus.br.        15 IN SOA ns1.jfrs.jus.br. srede.jfrs.jus.br. (
2010070108 ; serial
1200       ; refresh (20 minutes)
900        ; retry (15 minutes)
1209600    ; expire (2 weeks)
10800      ; minimum (3 hours)
)
jfrs.jus.br.        15 IN RRSIG SOA 5 3 15 20100218162912 (
20100119162912 37087 jfrs.jus.br.
A34y8vwNY7zFkEf1qHhAqP6WIMd7F8kVD9nYOl30E4FA
SWNmVRijoNJenkrdginId+yX66LeUY8GrZubhL74hcHk
dYjotDcBwLbG4PWbINyDqxI3c+/P7D+CbOu49jgFZKYs
tZZ+6BJZcIfCKSCQpH5oNntjgRr8t06SAZ8RwNE4Zu/f
GdHKbUvRflAHabIycgawfmYk1P2dJlAQRgNE0yMa3MtO
vcvg5xFijytGB86vLq0XrKtXgS/pPdT1MiZO58+K90tH
C/+rER6OTdGoCaGgUI7/75MVPPfh+FKcsPQpFYWrH0bn
ys19EwDrc2iVyLHFM470aHnWetUhsckVsA== )

;; Query time: 122 msec
;; SERVER: IP_DO_SERVIDOR_DNS_EXTERNO_LOCAL#53(IP_DO_SERVIDOR_DNS_EXTERNO_LOCAL)
;; WHEN: Wed Jan 20 08:04:56 2010
;; MSG SIZE  rcvd: 385
|—————————————————————————–|

——————————–
Testar com os seguinte domínios:
——————————–

jef.jfrs.jus.br

www.jfce.jus.br

www.jfes.jus.br

www.stf.jus.br
www.trt4.jus.br

www.trf1.jus.br
www.tj.rj.gov.br

www.tjba.jus.br
www.tjms.jus.br

Exemplos:

dig DNSKEY +multiline +dnssec www.stf.jus.br

===============================================================================
Exemplos de testes de DNS usando o drill:
===============================================================================

## Instalando o drill

apt-get install libssl-dev

http://www.nlnetlabs.nl/projects/drill/drill_extension.html

|##########^ Exemplos de Testes de Consultas #################################|

###############################################################################
# Sites com Ferramentas de Testes:                                            #
###############################################################################

Teste do registro DS:
Registro.br:
http://registro.br/cgi-bin/nicbr/dscheck, último acesso em 07/08/2008.

KSK do registro.br:
Registro.br:

https://registro.br/ksk/

Ferramenta de relatório de DNS (DNS Reports):

http://www.dnscolos.com

SecSpider the DNSSEC Monitoring Project:

http://secspider.cs.ucla.edu/

http://www.robtex.com/dns/baixaki.ig.com.br.html

Pesquisar no Google:

- DNS Reports

###############################################################################
# Troubleshooting
###############################################################################

Stopping domain name service…: bindrndc: connect failed: 127.0.0.1#953: operation canceled
failed!

——————————————————————————-
### Erros conhecidos:
## Sintomas:

Não é possível acessar um site, pois não foi possível fazer a resolução
de nome:

———————————————————————–
Erro 1: ao tentar o acesso usando o proxy apresenta a seguinte
mensagem no Firefox:

A URL solicitada não pode ser recuperada

Na tentativa de recuperar a URL: http://www.tjam.jus.br/

O seguinte erro foi encontrado:

Incapaz de determinar o endereço IP através do nome do host www.tjam.jus.br

O servidor DNS retornou:

Server Failure: The name server was unable to process this query.

Isso significa que:

O cache foi incapaz de resolver o nome do host presente na URL.
Verifique se o endereço está correto.
|—- ^ Erro 1 ——————————————————–|
———————————————————————–
Erro 2: erro visto no arquivo de log do Bind

dig @SERVIDOR_DE_DNS www.tjam.jus.br

SERVIDOR_DE_DNS# cat /var/log/daemon.log

Sep 28 11:27:11 ns1 named[2186]: no valid RRSIG resolving ‘tjam.jus.br/DNSKEY/IN’: 201.90.253.214#53
Sep 28 11:27:11 ns1 named[2186]: no valid RRSIG resolving ‘tjam.jus.br/DNSKEY/IN’: 201.90.253.215#53
Sep 28 11:27:11 ns1 named[2186]: no valid KEY resolving ‘www.tjam.jus.br/A/IN’: 201.90.253.214#53

|—- ^ Erro 2 ——————————————————–|
———————————————————————–
Erro 3: verificação realizada no site do registro.br falhou:

http://registro.br/cgi-bin/nicbr/dscheck

Domínio:             tjam.jus.br
Servidor DNS (nome ou IP):     201.90.253.214

Erro:
DS inválido: Assinatura expirada (Key Tag: 42877)
|—- ^ Erro 3 ——————————————————–|

## Causa:

Pode haver erro de configuração no servidor de DNS do domínio
especificado.

Neste caso parece que a chave está vencida.

## Solução:

Solicitar que o dono do domínio faça a correção.

|—————————————————————————–|

——————————————————————————-
### Erros conhecidos:
## Sintomas:

Jan 14 15:43:42 ns1 named[15506]: no valid RRSIG resolving ‘ns1.jfrs.JUS.br/DS/IN’: 200.248.53.141#53
Jan 14 15:25:49 ns1 named[15506]: not insecure resolving ‘jfrs.jus.br/A/IN’: 200.248.53.142#53
Jan 14 15:36:12 ns1 named[15506]: no valid DS resolving ‘www.jfrs.jus.br/A/IN’: 200.248.53.142#53

## Causa:

Neste caso o dono do domínio assinou a chave com a KSK, mas não assinou o domínio com ZSK.

|—————————————————————————–|

——————————————————————————-
### Erros conhecidos: (Known Errors)

## Questão/ Problema: (Question/Issue)

## Sintoma: (Symptoms)

No Nagios aparece a mensagem de erro abaixo:
dns1 PROCS CRITICAL    30-03-2010 14:52:00    14d 4h 14m 51s    5/5    PROCS CRITICAL: 130 processes – named: 3/1

## Causa: (Cause)
/etc/nagios/nrpe.cfg

command[check_procs2]=/usr/lib/nagios/plugins/check_procs2 named eq 1

## Solução: (Solution)
/usr/lib/nagios/plugins/check_procs2 named eq 1

|##########^ Contatos Importantes ############################################|

###############################################################################
# Referências:                                                                #
###############################################################################

http://www.debianpt.org/node/959, último acesso em 07/08/2008.

Dicas-L:
http://www.dicas-l.com.br/dicas-l/20061114.php, último acesso em 07/08/2008.

FAQ (Perguntas Frequentes) – DNSSEC para provedores:

http://registro.br/faq/faq9.html

http://en.wikipedia.org/wiki/Page_cache

http://en.wikipedia.org/wiki/Disk_buffer

registro.br:

http://registro.br/cgi-bin/nicbr/dscheck

DNS Security II : DNSSEC:

http://www.crypt.gen.nz/papers/dns_security_2.html

###############################################################################
# Contatos Importantes:
###############################################################################

David do Registro:
(011) 5509-3509

|##########^ Contatos Importantes ############################################|

###############################################################################
# Mais Dados de Monitoramento para Análise:
###############################################################################

### ps
ps aux –sort=-rss| less
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
bind     31984  2.8  6.7 111464 67716 ?        Ssl  Mar10  78:23 /usr/sbin/named
-u bind -t /var/lib/bind9
snmp      2515  0.0  0.4  24860  5004 ?        S     2009   3:21 /usr/sbin/snmpd
-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid
1001     24632  0.0  0.3  12928  3192 pts/0    Ss   08:37   0:00 -bash

|##########^ Mais Dados de Monitoramento para Análise ########################|

  1. Nenhum comentário ainda.
  1. Nenhum trackbacks ainda.

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Sair / Alterar )

Imagem do Twitter

You are commenting using your Twitter account. Sair / Alterar )

Foto do Facebook

You are commenting using your Facebook account. Sair / Alterar )

Cancelar

Connecting to %s

Seguir

Obtenha todo post novo entregue na sua caixa de entrada.