Bind9 – Configuration
Bind9 is the reference system for global dns, in this guide I will not speak about the functioning of the dns service but about the single dynamic function with a request RFC 2136.
This part of configuration requires a manageable dns domain, leave from the assumption that you have a Bind9 your primary server for the zone in question.
For this configuration I’m using a sub-domain of oneos.it; sites.oneos.it. I created the NS records to delegate this area to bind9 server we’re going to configure. We install bind9 on Ubuntu.
$ sudo apt-get install bind9
We find all the files needed bind9 in /etc/bind.
We begin with the change of bind options; add the entry “recursion no;”. This tells bind not to answer recursive queries, that will respond only to records that knows, and that is those who write to us within the zone files; static or dynamic. This is the minimum security measure that you MUST enter the dns, most DDOS attacks use precisely this incorrect configuration of DNS.
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; recursion no; auth-nxdomain no; # conform to RFC1035 # listen-on-v6 { any; }; };
First we have to generate the key pair that will ensure dnssec to write only to authorized client records. It will take a while! Two keys will be generated, Kpfsense.sites.oneos.it. + 157 + xxx.key and Kpfsense.sites.oneos.it. + 157 + xxx.private, put them safe.
$ sudo dnssec-keygen -a HMAC-MD5 -b 512 -n HOST pfsense.sites.oneos.it
Enter the hash of the private key in the file named.conf.
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; key "sites.oneos.it." { algorithm hmac-md5; secret "QhPTfqa4HfJt6N9KNcsSwA=="; };
Now let’s write our zone configuration.
// prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // Dynamic Zone sites.oneos.it zone "sites.oneos.it" { allow-update { key "sites.oneos.it."; }; allow-transfer {"none";}; type master; file "/var/lib/bind/sites.oneos.it"; notify yes; };
At this point we create the zone file. Ubuntu uses apparmor as a security system, in fact the dynamics zones must be in the directory /var/lib/bind otherwise bind can not write, or if you are comfortable with apparmor you can decide where to put your dynamic zones.
$ORIGIN . $TTL 604800 ; 1 week sites.oneos.it IN SOA dns.oneos.it. admin.dns.oneos.it. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) NS dns.oneos.it.
We are ready to start bind.
$ sudo service bind9 start
If everything goes well, we will have our system up and running bind9, we can test it using the dig command.
$ dig @dns.oneos.it sites.oneos.it any ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @dns.oneos.it sites.oneos.it any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2253 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sites.oneos.it. IN ANY ;; ANSWER SECTION: sites.oneos.it. 604800 IN SOA dns.oneos.it. admin.dns.oneos.it. 1 604800 86400 2419200 604800 sites.oneos.it. 604800 IN NS dns.oneos.it. ;; Query time: 109 msec ;; SERVER: 51.254.34.130#53(51.254.34.130) ;; WHEN: Sun Jun 12 10:15:56 CEST 2016 ;; MSG SIZE rcvd: 103
This is the correct output.
pfSense – RFC 2136 Clients
Now we configure pfSense to transfer the changes.
Go to Services -> Dynamic DNS -> RFC 2136 Clients e click on +Add.
We analyze the items:
- Interface – our Balancer, in case of interruption of a WAN your clients will send the other ip.
- Hostname – il nome del vostro pfSense, che deve coincidere con il nome di sistema..
- TTL – the refresh seconds for the name, I set it to 10 for taking tests, but if your ip are stil name of your pfSense, which must coincide with the name of sistema.atici you can also set it at a higher maturity.
- Key name – the name of our key, must coincide with the one written in the named.conf.
- Key Type – the kind of key generated.
- Key – our key.
- Server – the ip address of the dns server .
- Record Type – the kind of record we’re going to write, in my case I chose not to write for IPv6 records since my pfSense has none.
Before you save and update the council open the syslog in tailf and see what happens; This is my output.
Jun 12 10:24:58 vps named[7414]: client 1.1.1.2#46064/key sites.oneos.it: signer "sites.oneos.it" approved Jun 12 10:24:58 vps named[7414]: client 1.1.1.2#46064/key sites.oneos.it: updating zone 'sites.oneos.it/IN': deleting rrset at 'pfsense.sites.oneos.it' A Jun 12 10:24:58 vps named[7414]: client 1.1.1.2#46064/key sites.oneos.it: updating zone 'sites.oneos.it/IN': adding an RR at 'pfsense.sites.oneos.it' A
Jun 12 10:24:58 vps named[7414]: client 2.2.2.2#46064/key sites.oneos.it: signer "sites.oneos.it" approved Jun 12 10:24:58 vps named[7414]: client 2.2.2.2#46064/key sites.oneos.it: updating zone 'sites.oneos.it/IN': deleting rrset at 'pfsense.sites.oneos.it' A Jun 12 10:24:58 vps named[7414]: client 2.2.2.2#46064/key sites.oneos.it: updating zone 'sites.oneos.it/IN': adding an RR at 'pfsense.sites.oneos.it' A
As you can see, I have included both outputs; WANG regards the first update, unplugging from the WAN The client sent the ip change the dns WAN2GW
Since version 2.3 of pfSense is a bug (# 6357) that prevents proper operation, it will be resolved with version 2.3.2.
pfSense – Routing
In the previous article I set two more Gateway Group, and WAN_DOWN WAN2_DOWN.
Using one or the other we can create custom routes. Let’s say we have within us at least two VLAN (802.1q), we can use our Gateway gropus to force the release of VLANs, so we will not have a balance but a simple failover. As for the LAN’re going to change the Gateway in the rules of each VLAN setting the Gateway Group more appropriate to our use, in case of failure of the primary gateway for our VLAN, the system will divert the packages on the secondary Gateway.
Enjoy!
- SSH Keys pair, how to generate it and use. - Aug 18,2019
- Let’s Encrypt on pfSense – webConfigurator - Apr 04,2017
- Isc Dhcpd Openldap on Ubuntu 16.04 - Oct 03,2016
Leave a Comment