BIND - named service for DNS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

here we go my xxx video on setting up a bind server now this one has a PowerPoint so maybe it'll maybe it'll stick a little bit better we know what mine does the last video should have taken care of that we're resolving names to IP addresses and in this case we are setting up an authoritative name server to do that for the outside we are the server portion of it now then first thing to start off with bind is just a package name when you install it you'll say yum install bind all the rest of the time it's going to be referred to as named e in the same way that a patch is it calls itself httpd mine should be updated frequently because it has traditionally been a target for hackers to get into networks and bind is is the the biggest DNS server out there by far and the same way as kind of Apache is for Linux and it's had vulnerabilities in the past but that's the older versions if you saw a version of bind like v go up you won't see too many of them because they would get slaughtered pretty quickly out there on the internet so by 9:00 is what we're on right now and it's like I say there's a lot of it out there so it's bound to be fairly stable but again you should patch it frequently number one just for common sense and but two but just to keep it up-to-date and if you're going to solve it the first thing you should do is check to see if it's already there rpm - cue a pipe grep bind to see what if there and some stuff will pull up and you'll see bind utilities you'll see YP by n which is something completely different you'll see basically the client end of bind what we need is the server end of binding to get that you say yum install bind after installation they don't give you any they don't give you any sample files the way that Red Hat incent OS does that this will be a little bit different if you did it under a different release but there's always the users shared dock directory and in this case under user shared dock there is a sample directory and then sample you have basically just remade Etsy and var so what it's got an Etsy you copy into your actual Etsy recursively and what's in samples of our name D you can't copy into your var name D now your var name D won't be there until you install bind which sort of makes sense so these are your commands and we'll come back to them in a couple of minutes if you need them it's just a recursive copy of everything that's in these directories and that gives you a starting point if you need a starting point and we do main configuration file for bindings as you would figure in the NC directory called name D comps it's an entity because it doesn't change a ton you're going to list here are the domains that I'm responsible for boom and it doesn't change a lot after that the zone information that has your records about which hosts and things are in your domain will change a good bit especially if it's dynamic and those are still are stored in var name D Bar has stuff that changes a good bit for an example think if you had lots of laptops and you were doing dynamic did they're dynamic DNS and people were coming and going and coming and going and coming and going and you know so far would it use bar because it would change quite a bit errors are spit just to VAR log messages by default if you did a lot of this you may want to configure it to spit them into some different place and it has the capability to do that but just plain Jane bond is going to spit them into messages operation we have a DNS client and he's connected up to the Internet a machine will say is using this DNS client that could the client could be a server that could be a preferred DNS for somebody says host machine one example.com the DNS client receives a request for an IP on example.com assuming it is not cached it's going to look it up look up the start of authoritative name server for example.com in the hierarchy of DNS just like that last video it's going to go here here here here here and find out who is the SOA for example calm once it finds it it's going to contact that DNS server and say hey you've heard of a guy called WW on example calm the DNS client sends request to the server that has the SOA now in this server in its ANSI directory it's going to have a name decomps and it's going to look up and say what do you know I have example.com I can tell him something about it example.com is going to this is where the zone declaration is it's just going to be a handful of lines it's going to point it to var name D 2 VAR name D example.com zone which would be specified in here and here's all of your records and information about your zone it goes and it looks at this is what did you want machine 1a ha I have that guy it's found the DNS servers can send back an authoritative answer about machine one example com here is your Etsy name decomps a lot of these configuration files if you go to the trouble of just sitting down and reading them you'll find just all kinds of gems of information comments a little bit different they use the C++ style anything after a slash slash is considered a comment I'll say this out school a little bit the pound sign still would be considered a a comment and the semicolon is not because the semicolon is considered the end of a line sections are group I didn't have the actual end because this file is so large and sections are grouped into stanzas by curly braces so this would be the option stanza and then further down here you'll see the the ending curly brace okay your options section these are going to be options that are for the entire thing the ports you're going to use statistics that different things to measure it with the thing that it's going to get us what's going to be most important this one directory var name D that specifies where the zone files are held it also says if you just stick a name out here without any kind of path before it it's just going to assume that it's going to be in var name D so this right here would be found in slash var slash name D slash data this so that just gives you basically a baseline unless you specify a path name if you have something that starts with a slash that's an absolute absolute pathname and that wouldn't apply all right all by 9 zones are in a view I'm just going to forgive me for reading a little bit of this allows different zones to be served you can have different things for different options it's the concept of other view if the word view is not found that means that whatever zones you list are going to be given to everybody so you can get rid of the concept of views just by not including the word view in your name decomps that's the way it's always been done and the eighth and earlier versions of bind and that's ok but at that point you need to start looking at having to DNS servers because this like I said this plays favorite place to get hacked and you don't want your internal information being spit out onto the internet for everybody and that's what it's saying if it contains any view clause and then all zones must be in a view so you don't have like a default view you've got three views the way that we've got it set up here you have localhost internal and external and we'll see they see those in just a minute so if you have view anywhere in there you've got to respect all of the views it's an all-or-nothing kind of thing so it is recommended to start off using views to avoid having to restructure your configuration in the future this is just good practice this is where it's going to go it's not coming back it just makes more sense with defense and depth you want every level of your network defending itself somehow or another kind of like in the Army if you're a cook you're a soldier first you shoot a gun if you're a pilot you're a soldier first you learn how to the gun everybody in the in the outfit is going to know something about security the localhost resolver that's our first one this is for the machine itself this is for the machine you're sitting at localhost that is running named e whatever is listed in this stanza and I actually managed to get the whole stands on the screen at one time so you can see the the beginning and the ending curly brace um it's just for the local machine but close Revolver resolver i know that's a revolver eventually just thing by the local machine root hints is included in every view what it root hints do told you where that dot at the beginning of the dns of the internet is right so that's going to be in all zones RFC nineteen twelve sets up your stuff for if you point to localhost adult local domain is going to point to just a local machine and those are all listed in an external file in SC name the RFC nineteen twelve dot zones so two answers to use your dns to answer stuff about your local machine because a lot of processes are going to point to localhost so this way you can set your etsy resolve comps to 127 0 dot 0 dot one it doesn't matter if it's your Etsy hosts or not all the stuff that's about local domain is going to go locally if you ping Fred dot local domain it's going to be local so that's what the RFC not nineteen twelve is about this will be the only place that you include nineteen twelve any other place it wouldn't make sense and if you were a machine on this network somewhere and asked for local host at example.com it's not going to make sense it's apples and oranges the internal view this is going to be for machines that are on the same network as your network card it's going to look at your IP address and it's going to know with your IP address in your subnet mask the guys that are in its local network and if you looked back in the back instead of localnet said localhost this is local nets that it's going to match match destinations match clients and it tells you this is for local machines notice root hints is included that makes sense it's going to be in all of them notice RFC 1912 is not included it's there but it is commented out and it tells you you shouldn't serve these to non-local hosts clients ok this is we're still in internal and it's showing you this is our first authoritative zone my internal bot zone this is a little example of a zone declaration and it's telling you anytime that anything that you have an internal is pretty much automatically going to have to be in localhost resolver it'd be weird to say I'm going to serve this to my local network I don't want to know about it myself that's just going to cause confusion so any time that you add something to internal just as good practice go ahead and load it on into localhost resolver as well it would be a really odd situation that you wouldn't want to do that this is your first zone notice you've got curly braces curly braces and closing the whole thing a semicolon after the curly braces and this would be for anything that was sent to dot my internal dog's own that's where the zone is declared and we'll look at that again in just a minute so if you looked for host 1 dot my internal dot zone this is where the answer is going to be found it's going to go to this file in var named e go look it up and it's going to return information about it notice that host 1 isn't listed anywhere in here it's as owner it's a host record in this file here ok this just points to it and gives it some options I'll go ahead and start this and say it again a couple more times you've got to really pay attention to syntax and bind that's one thing that really knocks students in the head when they first try to set this up not having quotes around something not having a semicolon after Quotes not having a semicolon at the end of every line it's very very very picky about its syntax and you will find that quickly the way that Red Hat sent OS sets this up I think it's a little bit funny but this is your DD and SK dynamic DNS it's saying okay if anybody is going to be updating records on this we don't want just anybody in the world come pump and crap into our our DNS so whoever is going to be going to do it we want them to have this password right here and to generate a hash you've got to use this program to do it and see they put the cute little comment in here use this to generate a TS IG key and it's saying that it's supposed to be a hash if you leave it like this name DS not going to start it's going to say what's this garbage and it will die right there so what you have to do is to go out run the command that's telling you to run just read the thing it'll spit out some output and then you put that between your quotes the hardest thing is remembering to get it right between the coat quotes no spaces no nothing there you go there's your original text just a little snippet what you do is go out to a prompt I do it another terminal so it's easy to cut and paste you run that command and it spits out one thing big long hash you're going to paste it in paste a big long hash in where it used to say that it use this TS IG keys once you've done that you're ready to go forward your external view that's our last view this is going to be what does it say serve to external clients and addresses that are not on your directly attached land interfaces to simulate this in the lab and usually whip out a router and put people on a different network to see what resolves and they give you a warning contains entries just for your web and mail servers you'd have to be very very careful about what you put in external zone is what you're showing to everybody you don't want records in there about here's my SQL server and here's all this other stuff here's the bosses machine name and IP address here's here's you just a complete zone transfer to footprint my entire network and come in and tell me all the pieces so in this tiny little zone you just have just a couple of very selected records in general that's just going to be your web and mail servers what else is somebody else going to hit on your network unless you have something specific and funky run it if you have an FTP server for something specific you could with say creating his own this is declaring a zone this is in Etsy named decomps again to pound it home punctuation is a big deal and that's where students mess up students and the instructor I might add messes up a bunch there is the name of the domain to be resolved notice it doesn't have a W W or anything in front of it it is just the domain name with its top-level domain you got three different types of domain master slave and hints hence is a very specific thing let's say it'll go find me the root of the DNS of the Internet masters we talked about these a little bit before masters can be updated slaves on it they did they get zone transfers they both can be queried so those are your three types that you can have in there the next thing that it has is an example of where where your zone file is where's all the rest of the information about this guy and example.com dot zone we're going to assume that the directory statement is up above in the global options to say it's pointed to the VAR name D who updates this record now by default it sticks a nun in there let me point out that there's a space right there if it's not there you'll choke but anyway who do you want to update and to put in records for this zone if you leave it at none then it's you as the administrator is the only person that can go in and add records little tedious but another thing that you can do is specify an IP address of a DA CP server or maybe of something else to let it update your zone and some networks if it's very very trusted you could let the machines themselves update their DNS records windows will let you do that if you trust your your machines I like the idea better I'm just having a single IP address in here to allow it to update again this goes you can bring up the point that everything needs to have a static IP address if your DHCP didn't have a static IP address that would say all right there again there's a space right there where to place your zone once you've got it figured out to say here's what I want to do on a set of master zones I want to point to this zone file you can put them directly in SC name decomp that's the way it's always been done problem is every zone that you work with is going to have to be put in there right and the old days you didn't have views you could slap it in there and then go do your zone file and you were cool what if you administer 10 different zones then you've got the list of each at least twice in NC name decomp so that right there is an administration hassle just do an extra work and what really gets to be a hassle is you have to make sure the one that's in internal is the same as the one that's in localhost resolver and if you're like me you'll go through and find it say oh there it is and fix it and never think to fix the second one then you've got confusion between your zones although it would still work so to keep from listing them repetitively in name decomps you can define a separate file remember I talked about the 1912 you had an include statement that went out and fetched some zones well you can use an include statement in var name decomps that should be named decomps there and there but anyway you can specify them in there and just go out and fetch like a little assistant file and you can call it whatever you want to and I'm going to set up more dot zones I think in another video an example I call that stuff zone but what this is is a list of additional zones that I administer and I've got example.com and chicken comm and master there's the file to go get don't allow anybody to update this is like the simplest example then what you can do in name decomps this is all name um here is my local host view and here is my internal view I just hashed out some stuff just to see what I'm doing it's got include name D root hints well you can just come in after that and say included c-more doc bones because I just created that file I just showed you and the same thing in internal so I've got it in localhost and I've got it in internal and then when I edit the file it ones that being changed in both places back to the operation DNS server looks for it in name decomps then if it's in another zone this effectively at runtime would get slapped into this so this may be a tiny bit misleading but this actually winds up being all one big thing when it's in RAM it includes all of these in with all of these but conceptually this is what's happening goes and finds the machine we have the same sort of thing that way they're still found it's just a little bit easier to administer now we've talked about named decomps we told it where it needs the point now let's talk a little bit about we're in var named D now with the zone files this is where all of your record information is going to be to help yourself when you did that copy from sample and user sharedoc it gave you a local domain zone which gave you an example zone file it gave you a jumping-off point some songs have to be readable by name the user the way we install it that happened automatically but if you were root and you copied it they would pop in as root when you did this copy local domain zone to steven domain dot zone as root root would be the owner of the new one and depending if root had a funky umask name that you could wind up not being able to read it which would be bad there is our example zone file that should be example.com doc zone because it's in var name D time to live TTL this is a default time to live for records so when another server gets it it can tell it this is pretty stable you can keep it for a while a high number or you could say this is not real stable it's been changing a whole lot let me give you a low number and if it times that just come back and ask me again and specifies that you can't specify it per record if you want to do that but this is a catch-all if it's not specified and 86400 is 60 days which is a pretty long time to keep a record apparently we're pretty optimistic about our records this is a single record notice that it runs that it added up from here to here and it's declaring itself as start of authority chicken calm on ours it's replaced with an @ sign they replace all these with like the least thing that you can put in there and when you when you copy that sample the way that it's set up and it ones it being little bit harder to understand it to demonstrate but anyway this would be the zone that we're talking about this is the chicken zone and I like changing this one out if there was the ampere or the @ sign and I put this just to kind of give you some visual reaffirmation of which zone you're working on and it must end in a dot and somehow know that I left it off there but that should be chicken calm dot anything that doesn't end in a dot is going to get chicken calm splattered at the end of it so the way this is written and I'll change it chicken calm dot chicken calm so that would have to be fixed and we'll talk more about these iron records here in a minute means the internet it's just a type of record an SOA declared start of authority saying I am the dude to respond I'm the dude to ask localhost that is the name of the primary DNS for example.com and since we're setting it up right here localhost is fine you could also have male chicken comm dot if you wanted to be fancier with it and then define it down here root again this is the simplest since we are on this local machine it says send stuff to root and it would send it to root on the local machine but if you had somebody else administering this DNS you could put in this actually is an email address in a funky format since the at means something different it would be root dot a BTech edu where normally you would see an @ sign you replace the @ sign with a dot so that way you can have it email in your cell phone in between the two parentheses are a list of options for the slaves the slave servers that will come up and ask stuff and you even get some computer geek silliness in here with 42 from Hitchhiker's Guide to the galaxy and even go to get him a got him a credit in there but what this serial number is it's the master talking to the slaves about what revision that it's using if the slave sees that the master has a 43 and he's only got a 42 it's gone say hoped time for his own transfer need some more information start the service service named e start if you have bad errors it'll stop and it will kick them out to the screen right there and you can work on them errors are pretty good this is a pretty big program been out there a lot of people work with it so consequently you have a lot of good errors bad thing is if a single domain has some syntax errors or some problems the rest of named e at times can start and you'd have to look through VAR log messages to see oh this started wrong for this this one domain something's wrong with it so even though you get an OK message parts of it can be screwed up but it's not as a fatal screw-up after this service name D start I'm going to tell 50 of our log messages and scratched out what's important to us basic stuff says it's starting down to CPU using SC name decom for what it's on the ports then you get into some more interesting information it's going through and loading its zones remember localhost resolver that's what it's doing first it's going to picking up all of these and it's given the serial number this is a different type of serial number which actually makes more sense it's got year and month and day and then two fields so that way you could have a hundred updates to your DNS a day and that would still work this makes a whole lot more sense to me than equipping a 42 out of a silly book anyway that works all these are local host resolver that have come in these are your internal zones they all say internal and we went through and read all of those in and you could look through and there shouldn't be in 1912 and here where there was a 19-12 above now this reference is back a little bit to localhost resolver but notice that chicken comment example.com both loaded in and they appear to be happy zone chicken comm in localhost loaded with the 42 and in internal it loaded with a 42 if you had a syntax error more than likely both of them would splatter or both we're going to work whichever journal zone loads and it's announcing that it is running good to go okay this is where I got on the the PowerPoint but we talked yesterday about preventing zone transfers and the one thing that we had to do and I'm just going to click on this and and go back when you had an example of a zone right here it is thanks we found it believe it or not you've got your zone master and allow update what I wanted to show you was as a client once this is up and running you can do a host - la and point and take example comm and point it to this DNS and you will get a complete zone transfer which is not so pretty good so what you would want to do - is to go in and do allow that allow transfer allow transfer and the way I'm setting it up right now with just me you're doing allow transfer on both of these I think the other video actually shows this that I didn't allow transfer none on the one and not the other this would prevent a zone transfer by just anybody in the real world when we get into doing master and slave you'll see allow transfer and then your slaves IP address right there because he's the only guy you want doing a zone transfer all right so hopefully that helped you some with setting up a server in

Info

Channel: Steven Marcus

Views: 28,406

Rating: 4.9117646 out of 5

Keywords: DNS, BIND, Named, CentOS, BIND server, named server, DNS server, Linux DNS, Linux BIND, Linux named, CentOS DNS, bind tutorial, bind example, named tutorial, named example

Id: -r5A-H5nxcA

Channel Id: undefined

Length: 29min 46sec (1786 seconds)

Published: Mon Jul 10 2017