Master Server (10.1.1.11):
[root@ns01 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 10.1.1.11; };
// listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
secroots-file “/var/named/data/named.secroots”;
recursing-file “/var/named/data/named.recursing”;
allow-query {localhost; 10.1.1.0/24; };
allow-transfer { localhost; 10.1.1.12; };
/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forwarders {
1.1.1.1;
8.8.8.8;
};
dnssec-enable no;
dnssec-validation no;
managed-keys-directory “/var/named/dynamic”;
pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include “/etc/crypto-policies/back-ends/bind.config”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
include “/etc/named/osi-networks.conf”;
######################################
[root@ns01 ~]# cat /etc/named/named.osi-networks.conf
//forward zone
zone “osi-networks.lab” IN {
type master;
file “/etc/named/zones/osi-networks.lab.db”;
allow-update { none; };
//allow-query { any; };
notify yes;
also-notify { 10.1.1.12; };
};
//backward zone
zone “1.1.10.in-addr.arpa” IN {
type master;
file “/etc/named/zones/10.1.1.rev”;
allow-update { none; };
//allow-query { any; };
notify yes;
also-notify { 10.1.1.12; };
};
######################################
[root@ns01 ~]# cat /etc/named/zones/osi-networks.lab.db
$TTL 86400
@ IN SOA ns1.osi-networks.lab. admin.osi-networks.lab. (
2022032501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
$ORIGIN osi-networks.lab.
;Name Server Information
@ IN NS ns1.osi-networks.lab.
@ IN NS ns2.osi-networks.lab.
;IP Address for Name Server
ns1 IN A 10.1.1.11
ns2 IN A 10.1.1.12
;Mail Server MX (Mail exchanger) Record
IN MX 10 mail.osi-networks.lab.
;A Record for the following Host name
; IN A 10.1.1.100
www IN A 10.1.1.101
mail IN A 10.1.1.102
##########################################
[root@ns01 ~]# cat /etc/named/zones/10.1.1.rev
$TTL 86400
@ IN SOA ns1.osi-networks.lab. admin.osi-networks.lab. (
2022032501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS ns1.osi-networks.lab.
@ IN NS ns2.osi-networks.lab.
;Reverse lookup for Name Server
13 IN PTR ntp1.osi-networks.lab.
14 IN PTR ntp2.osi-networks.lab.
11 IN PTR ns1.osi-networks.lab.
12 IN PTR ns2.osi-networks.lab.
########################################
SLAVE (10.1.1.12):
[root@ns02 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 10.1.1.12; };
// listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
secroots-file “/var/named/data/named.secroots”;
recursing-file “/var/named/data/named.recursing”;
allow-query { localhost; 10.1.1.0/24;};
/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forwarders {
1.1.1.1;
8.8.8.8;
};
dnssec-enable no;
dnssec-validation no;
managed-keys-directory “/var/named/dynamic”;
pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include “/etc/crypto-policies/back-ends/bind.config”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
include “/etc/named/named.osi-networks.conf”;
[root@ns02 ~]#
#######################################
[root@ns02 ~]# cat /etc/named/named.osi-networks.conf
//forward zone
zone “osi-networks.lab” IN {
type slave;
masters { 10.1.1.11; };
file “/var/named/slaves/osi-networks.lab.db”;
};
//backward zone
zone “1.1.10.in-addr.arpa” IN {
type slave;
masters { 10.6.1.11; };
file “/var/named/slaves/10.1.1.rev”;
};
#########################
DNS SEC ENABLED (MASTER):
[root@ns01 named]# cd /etc/named/zones
[root@ns01 named]# dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE osi-networks.lab
Generating key pair……………………………………………++++ …………………………………………………………………………….++++
Kosi-networks.lab.+007+08405
[root@ns01 named]# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE osi-networks.lab
Generating key pair…++++ …………………………………………………………………….++++
Kosi-networks.lab.+007+27016
[root@ns01 named]# ls -al
total 20
-rw-r–r–. 1 root root 961 Mar 30 00:47 Kosi-networks.lab.+007+08405.key
-rw——-. 1 root root 3319 Mar 30 00:47 Kosi-networks.lab.+007+08405.private
-rw-r–r–. 1 root root 961 Mar 30 00:48 Kosi-networks.lab.+007+27016.key
-rw——-. 1 root root 3319 Mar 30 00:48 Kosi-networks.lab.+007+27016.private
-rw-r–r–. 1 root named 2415 Mar 30 00:03 named.osi-networks.conf
drwxr-xr-x. 2 root named 164 Mar 30 00:03 zones
for key in `ls osi-networks.lab*.key`
do
for zone in `ls zones`
do
echo “\$INCLUDE $key”>> zones/$zone
done
done
[root@ns01 zones]# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o osi-networks.lab -t osi-networks.lab.db
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
osi-networks.lab.db.signed
Signatures generated: 190
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.815
Signatures per second: 233.046
Runtime in seconds: 0.840
[root@ns01 zones]#
DNS SEC ENABLED (MASTER & SLAVE):
Modify named.conf
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
# systemctl reload named
CHECK CONFIGURATION:
[root@ns01 zones]# cat dsset-osi-networks.lab.
osi-networks.lab. IN DS 27016 7 1 29DBF472213CAF83F9E8E7B4F2660FD66B352D49
osi-networks.lab. IN DS 27016 7 2 7C7521835C30DBCCB2F1219248B2FFECB07E3BA6342AFAEF1290A450 D8EF04DB
[root@ns01 zones]#
[root@ns01 zones]# dig A osi-networks.lab. @localhost +noadditional +dnssec +multiline
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> A osi-networks.lab. @localhost +noadditional +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29637
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ec94ec6c13f2c10398494186624388a34aaf4ee3896a62e7 (good)
;; QUESTION SECTION:
;osi-networks.lab. IN A
;; AUTHORITY SECTION:
osi-networks.lab. 86400 IN SOA ns1.osi-networks.lab. admin.osi-networks.lab. (
2022032502 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
osi-networks.lab. 86400 IN RRSIG SOA 7 2 86400 (
20220428211024 20220329211024 8405 osi-networks.lab.
pnDnmCaXMpio0jakjComTHu8svi8YZo3Cd8no1D21LtJ
ZFqpC4dx5I8ahDmrFYQ8xrNmoOLMNNxvAB6vb827rkTs
hGbr/0Cs1vfEpboBM3LmtEdXOSeYrRUmWJRiBnNhA6r6
qaHJpGVfhBz+UWfglww7zjMycP9luZcq/8/kHS9wI0v8
Opt+CrLfaPS7DF/4lEzlWtxtWBA1q8hgygpUDEIiJ6OE
RhXTATjo32i6GaRvA+vDI6Diza/r2vfH1/SerQVb+x30
Notes to Myself 